{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3854", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "state": "PUBLISHED", "assignerShortName": "GitHub_P", "dateReserved": "2026-03-09T20:19:58.513Z", "datePublished": "2026-03-10T17:37:34.890Z", "dateUpdated": "2026-03-11T14:27:37.580Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2026-03-10T17:37:34.890Z"}, "title": "Remote code execution via git push option injection in GitHub Enterprise Server", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "affected": [{"vendor": "GitHub", "product": "Enterprise Server", "versions": [{"status": "affected", "version": "3.14.0", "lessThanOrEqual": "3.14.23", "changes": [{"at": "3.14.24", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.15.0", "lessThanOrEqual": "3.15.18", "changes": [{"at": "3.15.19", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.16.0", "lessThanOrEqual": "3.16.14", "changes": [{"at": "3.16.15", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.17.0", "lessThanOrEqual": "3.17.11", "changes": [{"at": "3.17.12", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.18.0", "lessThanOrEqual": "3.18.5", "changes": [{"at": "3.18.6", "status": "unaffected"}], "versionType": "semver"}, {"status": "affected", "version": "3.19.0", "lessThanOrEqual": "3.19.2", "changes": [{"at": "3.19.3", "status": "unaffected"}], "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.<br>"}]}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.24"}, {"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.19"}, {"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15"}, {"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12"}, {"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6"}, {"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Sagi Tzadik @ Wiz.io", "type": "finder"}], "source": {"discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:27:26.527095Z", "id": "CVE-2026-3854", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:27:37.580Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3854", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T14:27:26.527095Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:27:32.082Z"}}], "cna": {"title": "Remote code execution via git push option injection in GitHub Enterprise Server", "source": {"discovery": "INTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Sagi Tzadik @ Wiz.io"}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "GitHub", "product": "Enterprise Server", "versions": [{"status": "affected", "changes": [{"at": "3.14.24", "status": "unaffected"}], "version": "3.14.0", "versionType": "semver", "lessThanOrEqual": "3.14.23"}, {"status": "affected", "changes": [{"at": "3.15.19", "status": "unaffected"}], "version": "3.15.0", "versionType": "semver", "lessThanOrEqual": "3.15.18"}, {"status": "affected", "changes": [{"at": "3.16.15", "status": "unaffected"}], "version": "3.16.0", "versionType": "semver", "lessThanOrEqual": "3.16.14"}, {"status": "affected", "changes": [{"at": "3.17.12", "status": "unaffected"}], "version": "3.17.0", "versionType": "semver", "lessThanOrEqual": "3.17.11"}, {"status": "affected", "changes": [{"at": "3.18.6", "status": "unaffected"}], "version": "3.18.0", "versionType": "semver", "lessThanOrEqual": "3.18.5"}, {"status": "affected", "changes": [{"at": "3.19.3", "status": "unaffected"}], "version": "3.19.0", "versionType": "semver", "lessThanOrEqual": "3.19.2"}], "defaultStatus": "affected"}], "references": [{"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.24"}, {"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.19"}, {"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15"}, {"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12"}, {"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6"}, {"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.", "supportingMedia": [{"type": "text/html", "value": "An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "shortName": "GitHub_P", "dateUpdated": "2026-03-10T17:37:34.890Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3854", "state": "PUBLISHED", "dateUpdated": "2026-03-11T14:27:37.580Z", "dateReserved": "2026-03-09T20:19:58.513Z", "assignerOrgId": "82327ea3-741d-41e4-88f8-2cf9e791e760", "datePublished": "2026-03-10T17:37:34.890Z", "assignerShortName": "GitHub_P"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB7E4D72-FF86-46B4-B083-AF569D3C3113", "versionEndExcluding": "3.14.24", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F454B367-74E1-49D4-A8C0-BCE14CF453E5", "versionEndExcluding": "3.15.19", "versionStartIncluding": "3.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC07747C-95D1-4438-BBD8-9BC3C8F6B5F6", "versionEndExcluding": "3.16.15", "versionStartIncluding": "3.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "71BDBBDA-966C-419F-8D4F-5E7FB2411AE8", "versionEndExcluding": "3.17.12", "versionStartIncluding": "3.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "32CB5071-12A8-4C9A-9572-4FBC5C20F869", "versionEndExcluding": "3.18.6", "versionStartIncluding": "3.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7BDDDA3-FE7D-45F6-842C-0D023D926E18", "versionEndExcluding": "3.19.3", "versionStartIncluding": "3.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3."}, {"lang": "es", "value": "Una vulnerabilidad de neutralizaci\u00f3n inadecuada de elementos especiales fue identificada en GitHub Enterprise Server que permit\u00eda a un atacante con acceso de push a un repositorio lograr ejecuci\u00f3n remota de c\u00f3digo en la instancia. Durante una operaci\u00f3n de git push, los valores de opci\u00f3n de push proporcionados por el usuario no se sanitizaban correctamente antes de ser incluidos en los encabezados de servicio internos. Debido a que el formato del encabezado interno utilizaba un car\u00e1cter delimitador que tambi\u00e9n pod\u00eda aparecer en la entrada del usuario, un atacante pod\u00eda inyectar campos de metadatos adicionales a trav\u00e9s de valores de opci\u00f3n de push manipulados. Esta vulnerabilidad fue reportada a trav\u00e9s del programa GitHub Bug Bounty y ha sido corregida en las versiones de GitHub Enterprise Server 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 y 3.19.3."}], "id": "CVE-2026-3854", "lastModified": "2026-03-12T18:45:25.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "product-cna@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:19:06.007", "references": [{"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.24"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.19"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6"}, {"source": "product-cna@github.com", "tags": ["Release Notes"], "url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3"}], "sourceIdentifier": "product-cna@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "product-cna@github.com", "type": "Secondary"}]}

{}