CVE-2026-3854

HIGH

GitHub Enterprise Server RCE via Git Push Option Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 10 public exploits for CVE-2026-3854. PoCs published by adminlove520, Hex0rc1st, jenniferreire26.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2026-3854, demonstrating how semicolon injection in Git push options can override security-critical fields in the X-Stat header, leading to RCE. The PoC includes a detailed technical writeup and a Python script that simulates the vulnerability and patch behavior.

Description

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.

Exploits (10)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-3854

This repository contains a functional PoC for CVE-2026-3854, demonstrating how semicolon injection in Git push options can override security-critical fields in the X-Stat header, leading to RCE. The PoC includes a detailed technical writeup and a Python script that simulates the vulnerability and patch behavior.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitHub Enterprise Server and GitHub.com
Auth required
Prerequisites: GitHub account with push access · Python 3.10 or later
devstral-2 · analyzed May 17, 2026 Full analysis →
github SUSPICIOUS
by jenniferreire26 · poc
https://github.com/jenniferreire26/CVE-2026-3854

The repository claims to provide an exploit for CVE-2026-3854, a GitHub Enterprise Server RCE vulnerability, but lacks actual exploit code. Instead, it directs users to an external download link, which is a common tactic for malicious or fake PoCs.

Classification
Suspicious 95%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: GitHub Enterprise Server
Auth required
Prerequisites: push access to a repository · reachable vulnerable target
devstral-2 · analyzed Jun 09, 2026 Full analysis →
github SUSPICIOUS
by daniel30padd · poc
https://github.com/daniel30padd/CVE-2026-3854

The repository claims to provide an exploit for CVE-2026-3854, a remote code execution vulnerability in GitHub Enterprise Server, but only includes a README with a link to an external download. No actual exploit code is present.

Classification
Suspicious 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: GitHub Enterprise Server
Auth required
Prerequisites: push access to a repository · reachable vulnerable target
devstral-2 · analyzed May 25, 2026 Full analysis →
github SCANNER
by ridhinva · pythonpoc
https://github.com/ridhinva/CVE-2026-3854-GHE-RCE

The repository contains a Python-based scanner for CVE-2026-3854, which targets GitHub Enterprise Server (GHE) for potential RCE via push option injection. The scanner checks for accessible endpoints but does not include exploit code for achieving RCE.

Classification
Scanner 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: GitHub Enterprise Server (versions before 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, 3.19.4)
No auth needed
Prerequisites: Network access to the target GHE instance
devstral-2 · analyzed May 23, 2026 Full analysis →
nomisec SCANNER
by isagoakira · poc
https://github.com/isagoakira/ghes-cve-scanner

This repository contains a defensive security tool for detecting vulnerabilities in GitHub Enterprise Server (GHES) instances, specifically CVE-2026-3854 and CVE-2026-4821. It includes version detection and vulnerability checking logic but does not contain exploit code.

Classification
Scanner 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: GitHub Enterprise Server (GHES)
No auth needed
Prerequisites: Access to the target GHES instance
devstral-2 · analyzed May 06, 2026 Full analysis →
github STUB
by simondankelmann · poc
https://github.com/simondankelmann/cve-2026-3854-test

The repository contains only a minimal README with no exploit code or technical details. It mentions 'patch bypass testing' and includes two numeric values, but lacks any meaningful content or context.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Apr 29, 2026 Full analysis →
github WORKING POC
by lysophavin18 · pythonpoc
https://github.com/lysophavin18/CVE-2026-3854-PoC

This repository contains a functional Python-based proof-of-concept for CVE-2026-3854, demonstrating how semicolon injection in Git push options can override security-critical fields in the X-Stat header, leading to unsandboxed RCE. The PoC includes three demonstrations: basic injection, a full RCE chain, and patched behavior.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitHub Enterprise Server and GitHub.com
Auth required
Prerequisites: Git push access to a vulnerable GitHub instance · Python 3.10 or later
devstral-2 · analyzed Apr 29, 2026 Full analysis →
github WRITEUP
by LACHHAB-Anas · poc
https://github.com/LACHHAB-Anas/Exploit_CVE-2026-3854

The repository provides a technical description of CVE-2026-3854, a Remote Code Execution vulnerability in GitHub.com and GitHub Enterprise Server. It explains the exploitation method via command injection in git push options and includes version details for vulnerable and fixed releases.

Classification
Writeup 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Theoretical
Target: GitHub Enterprise Server <= 3.19.1
Auth required
Prerequisites: access to a repository with push permissions · vulnerable GitHub Enterprise Server version
devstral-2 · analyzed Apr 29, 2026 Full analysis →
github WRITEUP
by 5kr1pt · poc
https://github.com/5kr1pt/CVE-2026-3854

Technical analysis of CVE-2026-3854, detailing how an authenticated attacker can achieve RCE on GitHub via header injection in the X-Stat header during git push operations. The vulnerability involves improper sanitization of semicolons in push options, allowing manipulation of critical fields like rails_env, custom_hooks_dir, and repo_pre_receive_hooks.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GitHub.com and GitHub Enterprise Server
Auth required
Prerequisites: authenticated access to a GitHub repository · vulnerable version of GitHub Enterprise Server
devstral-2 · analyzed Apr 29, 2026 Full analysis →

References (13)

Core 13
Core References

Scores

CVSS v3 8.8
EPSS 0.0034
EPSS Percentile 57.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-77
Status published
Products (7)
GitHub/Enterprise Server 3.14.0 - 3.14.24
GitHub/Enterprise Server 3.15.0 - 3.15.19
GitHub/Enterprise Server 3.16.0 - 3.16.15
GitHub/Enterprise Server 3.17.0 - 3.17.12
GitHub/Enterprise Server 3.18.0 - 3.18.6
GitHub/Enterprise Server 3.19.0 - 3.19.3
github/enterprise_server < 3.14.24
Published Mar 10, 2026
Tracked Since Mar 11, 2026