GitHub Enterprise Server CVE-2026-3854: RCE Risk Hits Self-Hosted Source-Code Platforms
Finding: GitHub Enterprise Server CVE-2026-3854 Exposes Repository Push Paths to RCE
Confidence: High
NVD and the GitHub Advisory Database describe CVE-2026-3854 as an improper-neutralisation issue in GitHub Enterprise Server. An attacker with push access to a repository could achieve remote code execution by using crafted push-option values that were not properly sanitised before inclusion in internal service headers.
This is the day’s lead finding because GHES is often close to source code, release automation, credentials, and CI/CD integration points. The attacker precondition matters, access to push is required, but many enterprises have large internal contributor populations, service accounts, bot users, and automation tokens. That makes repository-level access control part of the exposure picture, not a reason to defer patching.
Fixed GHES releases are 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, and 3.19.3. Organisations running self-hosted GitHub should identify every appliance, confirm version and build, and prioritise upgrade planning around instances that host sensitive repositories or drive deployment pipelines.
Finding: Apache Camel-Coap WID-SEC-2026-1286 Needs Exposure Triage
Confidence: Low
BSI CERT-Bund published WID-SEC-2026-1286 as a high-severity Apache Camel-Coap advisory. The advisory indicates arbitrary program-code execution with the privileges of the service.
The evidence is thinner than the GHES finding. Today’s coverage marks the advisory low confidence because the source set did not include an explicit CVE or corroborating source. Even so, Camel integrations can sit in automation paths, IoT or OT bridges, and service-to-service messaging flows. Teams using Camel-Coap should check whether the component is present, whether it is reachable from untrusted networks, and what privilege the service account holds.
Finding: Wazuh WID-SEC-2026-1295 Raises Defensive-Infrastructure Risk
Confidence: Low
BSI CERT-Bund also published WID-SEC-2026-1295 for multiple Wazuh vulnerabilities. No explicit CVEs were assigned in today’s source set and the finding is labelled low confidence, but the affected product category is important because Wazuh commonly handles endpoint telemetry, alerting, log ingestion, and detection logic.
Security telemetry systems are high-value infrastructure. If a Wazuh manager, indexer, or agent path is disrupted or compromised, defenders can lose visibility at exactly the wrong time. The near-term action is not to assume compromise. It is to inventory Wazuh components, review vendor guidance, restrict administrative access, and schedule patching once affected versions are confirmed.
Finding: Microsoft CVE-2026-32631 Extends Developer-Endpoint Exposure
Confidence: Low
Microsoft CVE-2026-32631 is a new MSRC item in which git clone from manipulated repositories can leak NTLM hashes. The item is marked low confidence because today’s source set contains single-source MSRC coverage.
The risk sits in a familiar place: developer workstations and CI runners that interact with untrusted repositories. This does not outrank the GHES RCE, but it belongs in the same operational conversation. Teams should apply Microsoft guidance, tighten handling of untrusted repository clones, and check whether CI runners can expose Windows authentication material during build or test workflows.
Finding: Ubuntu USN-8219-1 Patches UltraJSON Denial-of-Service Issues
Confidence: Low
Ubuntu USN-8219-1 covers UltraJSON fixes for CVE-2026-32874 and CVE-2026-32875 in python3-ujson. The item is marked low confidence because it is single-source vendor data.
This is a fleet hygiene item rather than the day’s top exposure. It still matters where Python services parse attacker-controlled JSON or where distro packages underpin production applications. Linux teams should check for python3-ujson and apply Ubuntu’s fixed packages where affected.
Why This Matters
The main shift from yesterday is clear. Intrado 911 Emergency Gateway CVE-2026-6074 and AVEVA Pipeline Simulation CVE-2026-5387 remain serious, but today’s coverage classifies them as unchanged. Today’s new decision point is GitHub Enterprise Server CVE-2026-3854.
That matters because source-code systems concentrate trust. A weakness in a self-hosted code platform can touch repositories, CI/CD automation, secrets handling, and internal release processes. The new BSI, Microsoft, and Ubuntu items widen the same theme across integration middleware, defensive telemetry, developer endpoints, and Python dependencies.
- Recommended Actions
- Inventory all GitHub Enterprise Server instances and upgrade to 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, 3.19.3, or a later fixed release.
- Review repository push access, automation tokens, bot accounts, and service accounts on sensitive GHES projects.
- Check Apache Camel-Coap exposure against WID-SEC-2026-1286, starting with internet-adjacent integrations and broadly privileged services.
- Patch or mitigate Wazuh per WID-SEC-2026-1295 once affected versions are confirmed, and treat Wazuh infrastructure as high-value.
- Apply Microsoft guidance for CVE-2026-32631 on Windows developer endpoints and CI runners that clone untrusted repositories.
- Apply Ubuntu USN-8219-1 where python3-ujson is present below fixed package levels.
- Keep Intrado EGW and AVEVA Pipeline Simulation on the watchlist, but do not reframe them as new today unless fresh evidence appears.
All findings grounded in a13e intelligence coverage through 04:30 UTC 29 April 2026.