CVE-2026-3854

CVE-2026-3854 is an improper neutralization of special elements vulnerability (CWE-77) in GitHub Enterprise Server. It affects versions prior to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, and 3.19.4. The issue arises during git push operations, where user-supplied push option values are not properly sanitized before inclusion in internal service headers. A delimiter character in the header format, which can appear in user input, enables attackers to inject additional metadata fields through crafted push options, potentially leading to remote code execution on the GitHub Enterprise Server instance. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker requires push access to any repository on the GitHub Enterprise Server instance to exploit this vulnerability. By crafting malicious push option values during a git push, the attacker can inject unauthorized metadata into internal service headers, bypassing sanitization controls. Successful exploitation grants remote code execution on the server, allowing high confidentiality, integrity, and availability impacts without user interaction or elevated privileges beyond repository push rights.

GitHub addressed this vulnerability in the specified patch releases, as detailed in their enterprise server release notes. Administrators should upgrade to GitHub Enterprise Server 3.14.25 or later (depending on the maintenance branch), 3.15.20 or later, 3.16.16 or later, 3.17.13 or later, 3.18.7 or later, or 3.19.4 or later. The issue was responsibly disclosed through the GitHub Bug Bounty program.