In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026–3854) that could have allowed attackers to access millions of private repositories.

The flaw was reported on March 4, 2026, by researchers at cybersecurity firm Wiz through GitHub’s bug bounty program. GitHub Chief Information Security Officer Alexis Wales said the company’s security team reproduced and confirmed the vulnerability within 40 minutes and deployed a fix to GitHub.com less than two hours after receiving the report.

CVE-2026–3854 affects GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.