EXECUTIVE SUMMARY:
CVE-2026-3854 with a CVSS score of 8.8 is a critical Remote Code Execution (RCE) vulnerability within GitHub's internal git infrastructure, specifically affecting GitHub Enterprise Server (GHES) versions <= 3.19.1. The vulnerability occurs due to a breakdown in trust between internal components, where the RPC server (gitrpcd) trusts the proxy (babeld) completely and treats every field in the X-Stat header as authoritative without proper sanitization. An attacker with authenticated access can exploit this by inserting a semicolon into a push option to inject malicious fields into the header, allowing them to bypass security controls and execute arbitrary binaries directly on the server. The attacker gains the capability to execute code on backend infrastructure, compromising the shared storage nodes and granting access to millions of public and private repository entries. If exploited, the business impact would be severe, with significant unauthorized access to sensitive data, potentially exposing millions of private repositories to unauthorized access. Prerequisites for exploitation include authenticated access and the ability to manipulate the X-Stat header.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-3854 with a CVSS score of 8.8 is a critical Remote Code Execution (RCE) vulnerability within GitHub's internal git infrastructure, specifically affecting GitHub Enterprise Server (GHES) versions <= 3.19.1. The vulnerability occurs due to a breakdown in trust between internal components, where the RPC server (gitrpcd) trusts the proxy (babeld) completely and treats every field in the X-Stat header as authoritative without proper sanitization. An attacker with authenticated access can exploit this by inserting a semicolon into a push option to inject malicious fields into the header, allowing them to bypass security controls and execute arbitrary binaries directly on the server. The attacker gains the capability to execute code on backend infrastructure, compromising the shared storage nodes and granting access to millions of public and private repository entries. If exploited, the business impact would be severe, with significant unauthorized access to sensitive data, potentially exposing millions of private repositories to unauthorized access. Prerequisites for exploitation include authenticated access and the ability to manipulate the X-Stat header.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update GitHub Enterprise Server to version 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, 3.19.3.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/github-internal-infrastructure-rce-cve-2026-3854-wiz-research/