好的,我现在需要帮用户总结一篇关于GitHub漏洞的文章,控制在100字以内。首先,我得仔细阅读文章内容,抓住关键点。 文章主要讲的是CVE-2026-3854这个漏洞,它允许攻击者通过一次git push执行远程代码。这个漏洞是由于命令注入问题引起的,影响了GitHub的多个企业版服务。攻击者可以利用push选项中的值注入额外的元数据字段,从而在服务器上运行任意命令。 接下来,我需要确定用户的需求。用户要求用中文总结,控制在100字以内,并且不需要特定的开头。所以我要简洁明了地概括主要信息。 首先提到漏洞名称和影响范围:GitHub Enterprise Cloud和Server版本。然后说明漏洞的原因:命令注入导致远程代码执行。接着提到攻击者如何利用push选项注入元数据字段,最终导致服务器执行恶意命令。最后提到GitHub已经修复,并强调了升级的重要性。 现在把这些信息浓缩到100字以内。可能需要省略一些技术细节,比如具体的版本号和修复时间,但要保留关键点:漏洞名称、影响范围、原因、攻击方式和修复情况。 最后检查字数是否符合要求,并确保语言通顺自然。 </think> GitHub发现严重漏洞CVE-2026-3854,允许攻击者通过一次git push执行远程代码。该漏洞由命令注入引起,影响GitHub Enterprise Cloud和Server版本。攻击者可利用push选项注入恶意元数据字段,在服务器上运行任意命令。GitHub已修复并建议用户立即升级以避免风险。 2026-4-28 20:39:28 Author: securityaffairs.com(查看原文) 阅读量:25 收藏
CVE-2026-3854 GitHub flaw enables remote code execution
Critical GitHub flaw CVE-2026-3854 lets attackers run code with a single git push, exploiting a command injection bug.
Researchers found a critical vulnerability in GitHub, tracked as CVE-2026-3854, that allows remote code execution through a simple git push. The vulnerability affects GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.
The flaw is caused by a command injection issue, meaning an attacker with repository push access can run arbitrary commands on affected systems. With a high severity score, the bug poses serious risks for both GitHub.com and GitHub Enterprise Server users.
“An improper neutralization of special elements vulnerability was identified in GitHub Enterprise Server that allowed an attacker with push access to a repository to achieve remote code execution on the instance.” reads the advisory. “During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers. Because the internal header format used a delimiter character that could also appear in user input, an attacker could inject additional metadata fields through crafted push option values.”
The flaw was reported through GitHub’s bug bounty program and fixed in Enterprise Server versions 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3.
Wiz researchers reported the vulnerability on March 4, 2026, and GitHub addressed the issue within two hours.
When code is pushed to GitHub, internal services exchange metadata about the operation. The flaw arose because user-supplied git push options were not properly sanitized and were embedded into this metadata. Attackers could exploit delimiter handling to inject extra fields, tricking downstream services into treating malicious input as trusted data. This allowed them to alter execution environments, bypass sandbox protections, and run arbitrary commands on the server.
GitHub quickly fixed the issue by sanitizing inputs and released patches for Enterprise Server versions. The investigation found no real-world exploitation beyond researchers’ tests, and no customer data was compromised.
When code is pushed to GitHub, internal services exchange metadata about the operation. The flaw arose because user-supplied git push options were not properly sanitized and were embedded into this metadata. Attackers could exploit delimiter handling to inject extra fields, tricking downstream services into treating malicious input as trusted data. This allowed them to alter execution environments, bypass sandbox protections, and run arbitrary commands on the server.
GitHub quickly fixed the issue by sanitizing inputs and released patches for Enterprise Server versions. An investigation found no real-world exploitation beyond researchers’ tests, and no customer data was compromised.
Wiz researchers pointed out that this flaw was found in closed-source code using AI, showing a shift in vulnerability discovery. Despite its complexity, it’s easy to exploit. On GitHub, it enabled remote code execution on shared storage nodes, potentially exposing millions of repositories. On Enterprise Server, it could lead to full system compromise, including access to all repositories and sensitive internal data.
“GitHub Enterprise Server customers should upgrade immediately – at the time of this writing, our data indicates that 88% of instances are still vulnerable.” reported Wiz.
Attackers could escalate the flaw to full remote code execution by abusing injected fields. By altering the rails_env value, they bypassed sandbox protections and forced hooks to run in an unsafe mode. They then redirected the hook directory and used path traversal to execute arbitrary files. This chain allowed commands to run as the git service user, giving full control over the system, including filesystem access and internal configurations.
On GitHub, the same flaw could be exploited by injecting an enterprise-mode flag through internal metadata, enabling code execution even though custom hooks are normally disabled. Due to GitHub’s multi-tenant architecture, this access could expose data across environments, potentially allowing attackers to read millions of repositories on shared storage nodes.
The issue shows how a single git push could exploit trust between internal services. GitHub urged immediate patching and highlighted the need to secure how user-controlled data flows through internal protocols in complex systems.
“A single git push command was enough to exploit a flaw in GitHub’s internal protocol and achieve code execution on backend infrastructure.” concludes the report.”The vulnerability chain highlights a pattern that extends well beyond GitHub. When multiple services written in different languages pass data through a shared internal protocol, the assumptions each service makes about that data become a critical attack surface. In this case, one service assumed push option values were safe to embed verbatim. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2026-3854)
如有侵权请联系:admin#unsafe.sh