## https://sploitus.com/exploit?id=A9DE86C2-8A21-584D-B57B-6A4BFDAA4D58
# CVE-2026-3854 PoC โ GitHub RCE via X-Stat Push Option Injection
> **For educational and authorized security research purposes only.**
> Do not use against any system without explicit written permission.
---
## Overview
**CVE-2026-3854** is a Remote Code Execution vulnerability in GitHub Enterprise
Server's (and GitHub.com's) git push pipeline.
When a client supplies push options (`git push -o`), GitHub's internal Ruby code
builds an `X-Stat` header by concatenating each option value with semicolons as
field delimiters. Because values were inserted **verbatim** (without sanitisation),
an attacker could embed semicolons in a push option to inject arbitrary key-value
fields into the header and override security-critical settings โ ultimately
achieving unsandboxed RCE as the `git` user.
### Vulnerability root cause
```
X-Stat: repo_id=12345;user_id=alice;rails_env=production;...;push_option_0=
```
Injecting `normal_value;rails_env=staging` as the push option value turns into:
```
...;push_option_0=normal_value;rails_env=staging
```
The parser takes the **last** occurrence of each key, so `rails_env` is now
`staging` (unsandboxed), overriding the legitimate `production` value set earlier.
---
## Requirements
- Python 3.10 or later (uses built-in `list[str]` / `dict[str, str]` type hints)
- No third-party packages required
---
## Usage
```bash
python3 exploi-git.py
```
The script runs three back-to-back demonstrations entirely in memory โ no
network connections, no shell commands, no file writes:
| Demo | What it shows |
|------|---------------|
| **1** | Basic semicolon injection overriding `rails_env` |
| **2** | Full 3-step conceptual RCE chain |
| **3** | Patched behaviour โ semicolons are percent-encoded and injection is neutralised |
---
## Patch
GitHub fixed the vulnerability by percent-encoding semicolons in push option
values before inserting them into the `X-Stat` header:
```
normal_value;rails_env=staging โ normal_value%3Brails_env=staging
```
This makes the semicolon a literal part of the value and breaks the injection.
---
## References
- [Wiz Research blog post](https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854)
- [GitHub Security Blog](https://github.blog/security/securing-the-git-push-pipeline/)
- [NVD โ CVE-2026-3854](https://nvd.nist.gov/vuln/detail/CVE-2026-3854)
---
## Disclaimer
This repository is provided solely for **educational purposes** and to support
**authorized security research**. The author(s) assume no responsibility for
misuse. Always obtain explicit written permission before testing against any
system you do not own.