Description
An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
Published: 2026-03-10
Score: 8.7 High
EPSS: 9.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper neutralization of special elements vulnerability in GitHub Enterprise Server lets attackers with push access to a repository cause remote code execution by injecting malicious metadata fields during a git push. User‑supplied push option values are not sanitized before being placed into internal service headers. Because the header format uses a delimiter that can appear in the push options, crafted values can introduce additional metadata fields that the server interprets as legitimate. This injection flaw (CWE‑77) can compromise the confidentiality, integrity, and availability of the entire instance. GitHub has released patches starting with GitHub Enterprise Server 3.14.25 and subsequent minor releases, which fix this issue.

Affected Systems

GitHub Enterprise Server installations running any version older than 3.14.25 are affected, including all earlier releases such as 3.14.24 and previous minor versions. Any repository that grants push access to a user can be targeted; the attacker only needs push permission on a specific repository, not administrative privileges.

Risk and Exploitability

With a CVSS score of 8.7, the vulnerability is considered high severity, but the EPSS score is 10%, indicating that exploit attempts are more common. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. Based on the description, the likely attack vector is local via legitimate git push operations, requiring an attacker to have push access to the target repository.

Generated by OpenCVE AI on June 18, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest GitHub Enterprise Server patch (3.19.4 or later) to fix the push option injection flaw.
  • Temporarily revoke or restrict push permissions for untrusted users until a patch is applied.
  • Monitor git push logs for abnormal header values and investigate any unexpected metadata injection.

Generated by OpenCVE AI on June 18, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Fri, 17 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3. An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7 and 3.19.4.
References

Thu, 12 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Github
Github enterprise Server
Vendors & Products Github
Github enterprise Server

Tue, 10 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.
Title Remote code execution via git push option injection in GitHub Enterprise Server
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Github Enterprise Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-04-29T03:55:48.782Z

Reserved: 2026-03-09T20:19:58.513Z

Link: CVE-2026-3854

cve-icon Vulnrichment

Updated: 2026-03-11T14:27:32.082Z

cve-icon NVD

Status : Modified

Published: 2026-03-10T18:19:06.007

Modified: 2026-06-17T10:44:20.717

Link: CVE-2026-3854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:30:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')