Latest GitHub Enterprise Server vulnerability: CVE-2026-3854 #
GitHub disclosed that certain versions of GitHub Enterprise Server (GHES) are affected by a remote code execution (RCE) vulnerability due to improper neutralization of special elements. Successful exploitation could allow an authenticated, low-privileged user with push access to any repository, including one they created themselves, to achieve arbitrary command execution on the GitHub server via a single git push using crafted push option values containing an unsanitized delimiter character. This vulnerability has been designated CVE-2026-3854 and has been rated high with a CVSS score of 8.7.
The following versions are affected:
- GHES 3.14.x: Versions prior to 3.14.25
- GHES 3.15.x: Versions prior to 3.15.20
- GHES 3.16.x: Versions prior to 3.16.16
- GHES 3.17.x: Versions prior to 3.17.13
- GHES 3.18.x: Versions prior to 3.18.7
- GHES 3.19.x: Versions prior to 3.19.4
What is GitHub Enterprise Server? #
GitHub Enterprise Server is a self-hosted version of GitHub that allows organizations to run an isolated instance of the platform on their own physical or virtual infrastructure, independent of external cloud services.
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged upgrade affected systems to the following versions immediately:
- GHES 3.14.x: Upgrade to 3.14.25 or later.
- GHES 3.15.x: Upgrade to 3.15.20 or later.
- GHES 3.16.x: Upgrade to 3.16.16 or later.
- GHES 3.17.x: Upgrade to 3.17.13 or later.
- GHES 3.18.x: Upgrade to 3.18.7 or later.
- GHES 3.19.x: Upgrade to 3.19.4 or later.
How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:=GitHub AND product:="Enterprise%"
