GitHub patches sweeping RCE flaw that could expose millions of repos

April 29, 2026 at 07:44 PM

•

1 min read

GitHub patches sweeping RCE flaw that could expose millions of repos — Photo: BleepingComputer

TL;DR Summary

GitHub fixed CVE-2026-3854, a remote code execution flaw that could let attackers gain full read/write access to private repositories with a single crafted git push. Reported by Wiz in March 2026, GitHub reproduced the issue within 40 minutes and deployed a fix on GitHub.com within two hours, with patches issued for GitHub Enterprise Server across supported releases. The vulnerability affected GitHub.com and multiple GHES products; Wiz warned exploitation could have exposed most enterprises’ codebases. GitHub says no customer data was accessed and no exploitation was observed before the patch, though about 88% of reachable GHES instances were still vulnerable at disclosure, prompting administrators to upgrade promptly.

Topics:technology #cve-2026-3854 #cybersecurity #github #github-enterprise-server #remote-code-execution #security

Share this article

GitHub fixes RCE flaw that gave access to millions of private repos BleepingComputer
Securing the git push pipeline: Responding to a critical remote code execution vulnerability The GitHub Blog
Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push The Hacker News
Critical GitHub Vulnerability Exposed Millions of Repositories SecurityWeek
GitHub: Woah, a genuinely helpful AI-assisted bug report that isn't total slop. Here, Wiz, take this wad of cash theregister.com

Reading Insights

Total Reads

Unique Readers

Time Saved

3 min

vs 4 min read

Condensed

86%

734 → 106 words

Want the full story? Read the original article

Read on BleepingComputer

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights