CVE-2026-3854 GitHub — Exploit & Vulnerability Details HIGH

Parameter	Value
CVSS	8.7 (HIGH)
Affected Versions	3.15.0 — 3.19.3
Fixed In	3.14.24
Type	CWE-77 (Command Injection)
Vendor	GitHub
Public PoC	No

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values.

This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Attack Parameters

Attack Vector

Network

Can be exploited remotely

Attack Complexity

Low

Easy to exploit

Attack Requirements

None

No additional conditions

Privileges Required

Low

Basic privileges needed

User Interaction

None

No user interaction needed

Impact Assessment

Confidentiality

High

Complete data leak

Integrity

High

Complete data modification

Availability

High

Complete denial of service

CVSS Vector v4.0

Weakness Type (CWE)

CWE-77 Command Injection

Vulnerable Products 6

Configuration	From (including)	Up to (excluding)
Github Enterprise_Server cpe:2.3:a:github:enterprise_server::::::::	—	`3.14.24`
Github Enterprise_Server cpe:2.3:a:github:enterprise_server::::::::	`3.15.0`	`3.15.19`
Github Enterprise_Server cpe:2.3:a:github:enterprise_server::::::::	`3.16.0`	`3.16.15`
Github Enterprise_Server cpe:2.3:a:github:enterprise_server::::::::	`3.17.0`	`3.17.12`
Github Enterprise_Server cpe:2.3:a:github:enterprise_server::::::::	`3.18.0`	`3.18.6`
Github Enterprise_Server cpe:2.3:a:github:enterprise_server::::::::	`3.19.0`	`3.19.3`