GitHub RCE Flaw CVE-2026-3854 Exposed Millions of Private Repositories

Wiz Research used AI models to discover CVE-2026-3854, a critical remote code execution vulnerability in GitHub’s internal git infrastructure that could have allowed attackers to access millions of public and private repositories. GitHub’s security team validated the bug bounty report and patched the vulnerability fully within six hours of notification in early March.

The flaw affected both GitHub.com and GitHub Enterprise Server. GitHub Enterprise Server operators should verify they are running a patched version. No known exploitation occurred before the patch. The six-hour remediation timeline is notable and reflects GitHub’s investment in security response capacity.