CVE-2026-3854
Published: 10 March 2026
Summary
CVE-2026-3854 is a high-severity Command Injection (CWE-77) vulnerability in Github Enterprise Server. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-supplied push option inputs to neutralize special elements like delimiters, preventing injection into internal service headers.
Mandates timely remediation of flaws such as improper neutralization of special elements in GitHub Enterprise Server, as demonstrated by the vendor patches.
Enforces restrictions on information inputs like push options to limit format, size, and content, reducing the risk of crafted values enabling header injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote code execution on GitHub Enterprise Server via crafted git push options, directly enabling exploitation of a public-facing application.
NVD Description
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values…
more
were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
Deeper analysisAI
CVE-2026-3854 is an improper neutralization of special elements vulnerability (CWE-77) in GitHub Enterprise Server. It affects versions prior to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, and 3.19.4. The issue arises during git push operations, where user-supplied push option values are not properly sanitized before inclusion in internal service headers. A delimiter character in the header format, which can appear in user input, enables attackers to inject additional metadata fields through crafted push options, potentially leading to remote code execution on the GitHub Enterprise Server instance. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker requires push access to any repository on the GitHub Enterprise Server instance to exploit this vulnerability. By crafting malicious push option values during a git push, the attacker can inject unauthorized metadata into internal service headers, bypassing sanitization controls. Successful exploitation grants remote code execution on the server, allowing high confidentiality, integrity, and availability impacts without user interaction or elevated privileges beyond repository push rights.
GitHub addressed this vulnerability in the specified patch releases, as detailed in their enterprise server release notes. Administrators should upgrade to GitHub Enterprise Server 3.14.25 or later (depending on the maintenance branch), 3.15.20 or later, 3.16.16 or later, 3.17.13 or later, 3.18.7 or later, or 3.19.4 or later. The issue was responsibly disclosed through the GitHub Bug Bounty program.
Details
- CWE(s)