CVE-2026-3854 is a command injection vulnerability in GitHub’s git push handling pipeline. Any authenticated user with push access can execute arbitrary commands on GitHub Enterprise Server backend infrastructure with a single push operation. Cross-tenant repository read access has been confirmed on GitHub.com’s shared infrastructure, meaning organizations on shared nodes cannot exclude credential and source code exposure without confirmed clean-node attestation from GitHub.