—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in GitHub Enterprise Server

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

GitHub Enterprise Server versions:

Versions prior to 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.8, 3.19.4 and 3.20.0

Overview

A vulnerability has been reported in GitHub Enterprise Server which may allow an authenticated remote attacker to execute arbitrary code on the targeted system via a specially crafted git push request.

Target Audience:

Individuals and organizations that use the affected GitHub Enterprise Server.

Risk Assessment:

High risk of remote code execution, full system compromise, and sensitive data exposure in GitHub Enterprise Server.

Impact Assessment:

Remote Code Execution (RCE), unauthorized access, disclosure of sensitive information, and potential denial of service (DoS) in GitHub Enterprise Server.

Description

GitHub Enterprise Server is a self-hosted version of GitHub designed for enterprises to securely manage, develop, and collaborate on code within their own infrastructure.

This vulnerability exists due to improper input validation in Git push options. A remote authenticated attacker can inject malicious data through a specially crafted git push request and execute arbitrary commands on the system.

Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code, gain administrative access, read and expose sensitive information, and launch a denial-of-service (DoS) attack on the targeted system.

Solution

Users are advised to apply appropriate updates as mentioned:

https://thehackernews.com/2026/04/researchers-discover-critical-github.html

https://github.com/advisories/GHSA-64fw-jx9p-5j24

Vendor Information

https://github.com/advisories

References

https://thehackernews.com/2026/04/researchers-discover-critical-github.html

https://github.com/advisories/GHSA-64fw-jx9p-5j24

CVE Name

CVE-2026-3854

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmn4qkkACgkQ3jCgcSdc

ys+znA/5ASxHNNWvrdCBxJ95SeOA+jURLXnZYKaqg0loRQxPy1+HMvUBFNJcPOhR

LaZdtz6Lf/hWOmmg2rY0vSe4ZuFEmE+n0tcKfo/uuLeHwm0q1lvDPtvWbg5ynaU1

GvrrPd0uDSqgtKRjJRo+vc7pm2gtHS7h0/bHQfUBx9QIYj5byIIqCrZ15qjZ+lwa

v3bJIR7lvmQJb/LKt6PPgj/1RK8uwg+lS+0vPx011texSM63y3bcJkMlUvJ8V4uw

RU5Ds2q64MAVEg6C3AJFb7klBVSr+38Uo62Q7PDvNepTy5HIOBM61pvPPaFKXGhd

Li3YClMurJ24/2CnoLGVIyouuo27B3Dmpi9Gus/xitxQf6gFwMMqfsDDvPlpN+PC

ElnCzYHEGT0t7xdyWD05U7pxFoU6bQF4mwn1u6MB7/115E2wav8gSKV2EZWUZVbA

DlTaONkKN0hDMS1sn0qgYzucyUr1KS3cwyNzMdnW9l2LG6doswFl4GE91FLWcMvg

k1DIuLIxfulfDJtz/JpSBNOehY1gSxOQUWg4xs4FYD3LLayZ/jY6gbaHHkd7DUTN

yMbcc7VLNI2p3125cwT/QlGFGWTfBNnIJwyI8eFopYEXrjhH00AXCaRRN43rZ5R2

4KhPTMz6318oySYaPxQj5TaWXg7+J3Le9LAZ4LgDy4TsoE8OvjU=

=0gK9

—–END PGP SIGNATURE—–