CVE-2026-3854

An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.24	Release Notes
https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.19	Release Notes
https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15	Release Notes
https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12	Release Notes
https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6	Release Notes
https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::
	cpe:2.3:a:github:enterprise_server::::::::

History

No history.

Information

Published : 2026-03-10 18:19

Updated : 2026-03-12 18:45

NVD link : CVE-2026-3854

Mitre link : CVE-2026-3854

CVE.ORG link : CVE-2026-3854

JSON object : View

Products Affected

github

enterprise_server

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2026-3854", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "product-cna@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T18:19:06.007", "references": [{"url": "https://docs.github.com/en/enterprise-server@3.14/admin/release-notes#3.14.24", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.15/admin/release-notes#3.15.19", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.16/admin/release-notes#3.16.15", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.17/admin/release-notes#3.17.12", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.18/admin/release-notes#3.18.6", "tags": ["Release Notes"], "source": "product-cna@github.com"}, {"url": "https://docs.github.com/en/enterprise-server@3.19/admin/release-notes#3.19.3", "tags": ["Release Notes"], "source": "product-cna@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "product-cna@github.com", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance. During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values. This vulnerability was reported via the GitHub Bug Bounty program and has been fixed in GitHub Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 and 3.19.3."}, {"lang": "es", "value": "Una vulnerabilidad de neutralizaci\u00f3n inadecuada de elementos especiales fue identificada en GitHub Enterprise Server que permit\u00eda a un atacante con acceso de push a un repositorio lograr ejecuci\u00f3n remota de c\u00f3digo en la instancia. Durante una operaci\u00f3n de git push, los valores de opci\u00f3n de push proporcionados por el usuario no se sanitizaban correctamente antes de ser incluidos en los encabezados de servicio internos. Debido a que el formato del encabezado interno utilizaba un car\u00e1cter delimitador que tambi\u00e9n pod\u00eda aparecer en la entrada del usuario, un atacante pod\u00eda inyectar campos de metadatos adicionales a trav\u00e9s de valores de opci\u00f3n de push manipulados. Esta vulnerabilidad fue reportada a trav\u00e9s del programa GitHub Bug Bounty y ha sido corregida en las versiones de GitHub Enterprise Server 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6 y 3.19.3."}], "lastModified": "2026-03-12T18:45:25.490", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EB7E4D72-FF86-46B4-B083-AF569D3C3113", "versionEndExcluding": "3.14.24"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F454B367-74E1-49D4-A8C0-BCE14CF453E5", "versionEndExcluding": "3.15.19", "versionStartIncluding": "3.15.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC07747C-95D1-4438-BBD8-9BC3C8F6B5F6", "versionEndExcluding": "3.16.15", "versionStartIncluding": "3.16.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71BDBBDA-966C-419F-8D4F-5E7FB2411AE8", "versionEndExcluding": "3.17.12", "versionStartIncluding": "3.17.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32CB5071-12A8-4C9A-9572-4FBC5C20F869", "versionEndExcluding": "3.18.6", "versionStartIncluding": "3.18.0"}, {"criteria": "cpe:2.3:a:github:enterprise_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7BDDDA3-FE7D-45F6-842C-0D023D926E18", "versionEndExcluding": "3.19.3", "versionStartIncluding": "3.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "product-cna@github.com"}