Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Push

Security researchers from CyberSec Labs have identified a critical remote‑code‑execution (RCE) vulnerability in both GitHub.com and GitHub Enterprise Server. Tracked as CVE‑2026‑3854, the flaw carries a CVSS v3.1 score of 9.8, placing it in the critical severity tier. Affected versions include GitHub Enterprise Server prior to 3.9.5 (including the 3.8.x branch before 3.8.12) and the cloud‑hosted service prior to the March‑2026 patch release.

The weakness resides in Git’s hook execution pipeline, specifically the post‑update hook that runs after a successful push. By embedding a specially crafted payload within a commit’s .git/hooks/post‑update file, an authenticated attacker can cause the hook script to be interpreted by the server’s underlying shell without proper sanitization. The malicious payload, once executed, opens a reverse TCP shell to an attacker‑controlled host, granting full operating‑system level access on the target runner.

Because GitHub serves as the backbone of countless CI/CD pipelines, automated builds, and package registries, successful exploitation could propagate malicious code downstream, affecting downstream consumers of a repository. This elevates the risk beyond a single account compromise to a potential supply‑chain attack vector, where compromised hooks could inject backdoors into released artifacts or trigger unauthorized deployments.

GitHub has already deployed a mitigation in the latest Enterprise Server release and pushed a server‑side patch for GitHub.com. Administrators should upgrade immediately to version 3.9.5 (or 3.8.12 for the LTS branch) and enable the newly introduced hook‑deny‑list feature, which blocks execution of any hook not explicitly allow‑listed. Users are also advised to audit existing repositories for custom hooks, restrict repository creation permissions, and monitor for anomalous outbound connections that may indicate a live reverse shell.