Critical GitHub RCE CVE-2026-3854 Exposed Millions of Repositories

CVE-2026-3854, a critical remote code execution vulnerability in GitHub.com and GitHub Enterprise Server, is reported to have exposed millions of repositories before remediation. The flaw has since been patched by GitHub.

GitHub Enterprise Server administrators should verify their instances are running the patched version immediately. Cloud-hosted GitHub.com users are protected by GitHub’s own remediation. No confirmed active exploitation was reported, but the attack surface — millions of repositories containing source code, secrets, and credentials — makes this a high-priority upgrade for any GHES deployment.