GitHub RCE Flaw CVE-2026-3854 Triggers on a Single Git Push

Researchers have disclosed CVE-2026-3854, a critical remote code execution vulnerability in GitHub that can be triggered by a single git push operation. The flaw sits in the path that processes incoming repository updates, meaning an attacker who can push to a repository — or trick a victim into accepting a crafted push — can execute code in the affected context without further interaction.

The single-push trigger is what elevates this from a routine server-side bug to a supply-chain-grade concern. Build runners, mirrors, and downstream automation that auto-pull from upstream all become potential blast-radius for a malicious commit object, and any org that grants broad push rights across its repos has effectively widened the exposure surface to every contributor.

Mitigation hinges on GitHub’s server-side patch rather than anything individual users can configure away. Until rollout is confirmed across self-hosted and Enterprise installations, treat untrusted push sources as hostile, audit webhook and CI triggers tied to repo updates, and pin exposure by tightening branch protection and required-reviewer rules on critical repos.