GitHub RCE via Single Git Push X-Stat Injection

Exploit Mechanism: X-Stat Injection in Internal Git Protocol

GitHub's internal git protocol processes push requests with an X-Stat field that's vulnerable to injection attacks. An authenticated attacker crafts a malicious git push that injects payloads into this field, bypassing normal access controls. This triggers remote code execution (RCE) directly on GitHub.com infrastructure and GitHub Enterprise Server (GHES) instances. No special tools needed—just a standard git push command developers run daily, highlighting risks in routine operations.

Key attack vector: The protocol doesn't properly sanitize or validate X-Stat headers during push handling, allowing arbitrary code injection. Builders should audit custom git hooks and protocol extensions for similar field injection flaws, as they mirror this path.

Impact: Widespread Repo Access and High Severity

RCE grants attackers control over GitHub servers, enabling access to millions of repositories beyond the attacker's permissions. This compromises private code, secrets, and deployment pipelines connected to repos. Tracked as CVE-2026-3854 with High severity, it underscores how a single push can escalate privileges across the platform.

Trade-offs in GitHub's design: Optimized for speed in high-volume pushes trades off stricter input validation, a common pitfall in distributed version control systems. Mitigate by enabling strict protocol enforcement and monitoring anomalous push patterns in your workflows.

Lessons for Secure Git Workflows

Everyday git push isn't bulletproof—internal protocol flaws expose production systems. Scan for field injections in git server configs, use authenticated-only pushes where possible, and integrate vulnerability alerts like CVE feeds into CI/CD. For GHES users, patch immediately and review audit logs for suspicious X-Stat activity. This vuln proves even battle-tested platforms like GitHub need ongoing protocol hardening.