Wiz Research Saved GitHub from a Critical Vulnerability

Wiz Research, a recognized cloud security company reported a critical vulnerability in GitHub on March 4, 2026. The flaw identified as CVE-2026-3854 received a CVSS score of 8.7. The vulnerability allowed an attacker to execute arbitrary code in GitHub's backend infrastructure through a simple git push command. The issue was found in the internal handling of certain headers and push options used during the process of sending changes.

According to Wiz, the flaw was surprisingly easy to exploit despite the complexity of the affected infrastructure. Any GitHub user with Git installed could make use of the vulnerability.

GitHub fixed the issue a few hours after receiving the report and later published the vulnerability together with patches for GitHub Enterprise Server.

GitHub RCE Vulnerability: CVE-2026-3854 Breakdown | Wiz Blog

A CVSS 8.7 vulnerability in GitHub Enterprise Server allows remote code execution. Read the threat brief and find vulnerable GHES instances from Wiz.

Wiz.io