GitHub RCE Vulnerability: CVE-2026-3854 Breakdown
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown
GitHub 远程代码执行漏洞:CVE-2026-3854 解析
Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub’s internal git infrastructure that could have affected both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command - using nothing but a standard git client.
Wiz Research 在 GitHub 的内部 git 基础设施中发现了一个严重漏洞(CVE-2026-3854),该漏洞可能同时影响 GitHub.com 和 GitHub Enterprise Server。通过利用 GitHub 内部协议中的注入缺陷,任何经过身份验证的用户只需使用标准的 git 客户端执行一次 git push 命令,即可在 GitHub 的后端服务器上执行任意命令。
Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified. Despite the complexity of the underlying system, the vulnerability is remarkably easy to exploit. On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes. On GitHub Enterprise Server, the same vulnerability grants full server compromise, including access to all hosted repositories and internal secrets.
值得注意的是,这是首批利用人工智能在闭源二进制文件中发现的严重漏洞之一,凸显了此类缺陷识别方式的转变。尽管底层系统非常复杂,但该漏洞的利用却异常简单。在 GitHub.com 上,该漏洞允许在共享存储节点上执行远程代码。我们确认,受影响节点上可访问数百万属于其他用户和组织的公共及私有存储库。在 GitHub Enterprise Server 上,同样的漏洞会导致服务器被完全攻陷,包括访问所有托管的存储库和内部机密。
GitHub mitigated this issue on GitHub.com within 6 hours of our report, released patches for all supported versions of GitHub Enterprise Server, and published the CVE at the time of release. GitHub Enterprise Server customers should upgrade immediately - at the time of this writing, our data indicates that 88% of instances are still vulnerable. Detailed remediation steps and further technical details are available in GitHub’s security blog post.
GitHub 在我们报告后的 6 小时内修复了 GitHub.com 上的此问题,为所有受支持的 GitHub Enterprise Server 版本发布了补丁,并在发布时公布了 CVE。GitHub Enterprise Server 的客户应立即升级——截至本文撰写时,我们的数据显示仍有 88% 的实例存在漏洞。详细的修复步骤和更多技术细节可在 GitHub 的安全博客文章中找到。
GitHub greatly appreciates the collaboration, professionalism, and partnership that Wiz has shown throughout this process. A finding of this caliber and severity is rare, earning one of the highest rewards available in our Bug Bounty program, and serves as a reminder that the most impactful security research comes from skilled researchers who know how to ask the right questions. As the landscape evolves, these close partnerships with talented hunters and researchers are more important than ever. — Alexis Wales, GitHub CISO
GitHub 非常感谢 Wiz 在整个过程中所展现出的协作精神、专业素养和伙伴关系。这种级别和严重程度的发现非常罕见,它获得了我们漏洞赏金计划中提供的最高奖励之一,这也提醒我们,最具影响力的安全研究来自于那些懂得如何提出正确问题的资深研究人员。随着安全形势的发展,与这些才华横溢的猎手和研究人员建立紧密的合作关系比以往任何时候都更加重要。—— Alexis Wales,GitHub 首席信息安全官 (CISO)
This post breaks down the vulnerability, walks through the exploitation chain, and provides recommendations for GHES administrators to protect their environments.
本文解析了该漏洞,梳理了利用链,并为 GHES 管理员提供了保护其环境的建议。
Figure: Vulnerability overview - a single git push compromises GitHub’s internal infrastructure
图:漏洞概览——一次 git push 即可攻陷 GitHub 内部基础设施
Required Actions and Mitigations
所需行动与缓解措施
GitHub.com: GitHub has mitigated this issue. No action is required for GitHub.com users. GitHub.com: GitHub 已修复此问题。GitHub.com 用户无需采取任何行动。
GitHub Enterprise Server: Immediate action required. Upgrade to GHES version 3.19.3 or later - this release patches CVE-2026-3854. GitHub Enterprise Server: 需要立即采取行动。请升级至 GHES 3.19.3 或更高版本——此版本修复了 CVE-2026-3854。
Affected Versions
受影响版本
| Component | Vulnerable Versions | Fixed Version |
|---|---|---|
| GitHub Enterprise Server | <= 3.19.1 | 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3 |
Find Vulnerable GHES Instances with Wiz
使用 Wiz 查找易受攻击的 GHES 实例
Wiz customers can identify vulnerable GitHub Enterprise Server instances in their environments using this pre-built query in the Wiz Threat Center. The query identifies all GHES instances running a version vulnerable to this issue. Wiz 客户可以使用 Wiz 威胁中心(Wiz Threat Center)中的预置查询,识别其环境中的易受攻击的 GitHub Enterprise Server 实例。该查询可识别所有运行受此问题影响版本的 GHES 实例。
Figure: Wiz Threat Center query for vulnerable GHES instances
图:用于查找易受攻击 GHES 实例的 Wiz 威胁中心查询
Why We Researched GitHub’s Git Infrastructure
我们为何研究 GitHub 的 Git 基础设施
GitHub is the world’s largest code hosting platform, home to hundreds of millions of repositories spanning open source projects, enterprise codebases, and critical infrastructure. Its internal git infrastructure—the pipeline that processes every git push—is one of the most security-sensitive systems on the internet. When a user pushes code, it passes through multiple internal services, each written in a different programming language. This multi-service architecture creates opportunities for inconsistencies in how each component parses and trusts shared data. GitHub 是全球最大的代码托管平台,拥有数以亿计的存储库,涵盖开源项目、企业代码库和关键基础设施。其内部 git 基础设施(处理每一次 git push 的流水线)是互联网上安全性最敏感的系统之一。当用户推送代码时,它会经过多个内部服务,每个服务都使用不同的编程语言编写。这种多服务架构为各组件在解析和信任共享数据时产生不一致性创造了机会。
We’ve looked into GitHub Enterprise Server (GHES) in the past to hunt for these exact types of vulnerabilities. However, extracting and auditing the sheer volume of compiled blackbox binaries that run this pipeline historically required an impractical amount of time and manual effort. 我们过去曾研究过 GitHub Enterprise Server (GHES),以寻找此类漏洞。然而,提取和审计运行此流水线的大量已编译黑盒二进制文件,在过去需要耗费不切实际的时间和人力。