Google patched an Android zero-click RCE flaw affecting multiple versions. Here’s what IT teams should know and how to reduce mobile risk.

The post Google Update: Android Flaw Could Put Billions of Devices at Risk appeared first on TechRepublic.

Cybersecurity researchers have revealed critical details about a newly identified RCE vulnerability, tracked as CVE-2026-3854, affecting both GitHub’s cloud infrastructure and GitHub Enterprise Server deployments. The flaw, which carries a high CVSS score of 8.7, could allow an authenticated user to execute arbitrary code on affected systems with a single crafted git push command.  The vulnerability, discovered by researchers at Wiz, exposes a command injection flaw within GitHub’s internal handling of user-supplied data. Specifically, the issue lies in how push options, key-value strings sent during a git push operation, were processed. 

What is CVE-2026-3854 RCE Vulnerability? 

According to an advisory from GitHub, “During a git push operation, user-supplied push option values were not properly sanitized before being included in internal service headers.” Because the internal header format relied on a delimiter character that could also appear in user input, attackers could manipulate these values to inject additional metadata fields.  This weakness opened the door for exploitation of the RCE vulnerability, allowing attackers to gain access to a repository, including one they created themselves, to execute arbitrary commands on the server handling the request.

How the RCE Vulnerability Worked 

At the core of CVE-2026-3854 is improper input sanitization. During a typical git push, metadata such as repository type and processing environment is passed between internal services. This metadata is encoded using a delimiter, specifically a semicolon.  However, because user-controlled push options were inserted into this metadata without sufficient filtering, an attacker could craft inputs containing the delimiter. This allowed them to inject additional fields into the internal X-Stat header.  By chaining multiple malicious values, researchers demonstrated that an attacker could: 

• Override the environment in which the push operation was processed  
• Bypass sandboxing protections designed to restrict execution  
• Ultimately achieve remote code execution on the server  

This made the flaw particularly dangerous, as it required minimal effort to exploit—a single command could trigger the attack. 

Timeline: Discovery and Rapid Response 

The CVE-2026-3854 RCE vulnerability was responsibly disclosed by Wiz on March 4, 2026. GitHub’s response was notably swift.  In a detailed blog post, Alexis Wales explained:  “On March 4, 2026, we received a vulnerability report through our Bug Bounty program from researchers at Wiz describing a critical remote code execution vulnerability affecting github.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.”  GitHub’s internal security team began validation immediately. Within 40 minutes, they had reproduced the issue and confirmed its severity. By 5:45 p.m. UTC, the root cause had been identified, and by 7:00 p.m. UTC—less than two hours after validation—a fix was deployed to GitHub.com. 

Affected Systems and Patch Availability 

The RCE vulnerability CVE-2026-3854 impacted a wide range of GitHub products, including: 

• GitHub.com  
• GitHub Enterprise Cloud  
• GitHub Enterprise Cloud with Data Residency  
• GitHub Enterprise Cloud with Enterprise Managed Users  
• GitHub Enterprise Server  

While cloud-hosted services were patched automatically on March 4, 2026, GitHub Enterprise Server required manual updates. Fixes were released in the following versions: 

• 3.14.25  
• 3.15.20  
• 3.16.16  
• 3.17.13  
• 3.18.8  
• 3.19.4  
• 3.20.0 or later  

Users of GitHub Enterprise Server are strongly advised to upgrade immediately to mitigate the risk associated with this RCE vulnerability. 

No Evidence of Exploitation 

Following the patch deployment, GitHub conducted a thorough forensic investigation to determine whether CVE-2026-3854 had been exploited in the wild.  A key indicator of exploitation was the triggering of an unusual internal code path—one not used during normal operations. GitHub analyzed telemetry data and found: 

• All instances of this anomalous behavior were linked exclusively to the Wiz researchers’ testing  
• No unauthorized users triggered the exploit  
• No customer data was accessed, modified, or exfiltrated  

This provided strong assurance that the RCE vulnerability had not been abused before disclosure. 

Defense-in-Depth Improvements 

Beyond fixing the input sanitization issue, GitHub identified an additional weakness. The exploit relied partly on a code path that should not have been accessible in the affected environment. Although it existed within the server’s container image, it was intended for a different configuration. GitHub removed this unnecessary code as part of its remediation efforts. This additional hardening ensures that even if a similar vulnerability emerges in the future, its impact would be significantly reduced.

Recommendations for GitHub Enterprise Server Users 

For organizations using GitHub Enterprise Server, exploitation of CVE-2026-3854 would require an authenticated user with push access. As a precaution, GitHub recommends: 

• Reviewing /var/log/github-audit.log for suspicious push operations  
• Checking for push options containing semicolons (;)  
• Upgrading to the latest patched version without delay  

A critical Flowise RCE vulnerability is now being actively exploited. The flaw, tracked as CVE-2025-59528, carries a maximum severity rating and enables attackers to execute arbitrary code on affected systems, potentially leading to full system compromise.  Security researchers have confirmed that threat actors are taking advantage of the Flowise RCE vulnerability to infiltrate vulnerable deployments. This issue, identified as CVE-2025-59528, allows malicious actors to inject and execute arbitrary code through unsafe handling of user input within the platform.  The vulnerability was first publicly disclosed in September of last year, accompanied by warnings that successful exploitation could result in command execution and unauthorized access to the file system. Despite the availability of a patch, exploitation attempts have now been observed in real-world environments. 

Unsafe JavaScript Execution 

The issue arises in the Flowise CustomMCP node, a component designed to connect with external Model Context Protocol (MCP) servers. The vulnerability arises because the node unsafely evaluates user-supplied input in the mcpServerConfig setting.  This design flaw allows attackers to inject malicious JavaScript code without undergoing proper validation or security checks. As a result, attackers can leverage the Flowise RCE vulnerability (CVE-2025-59528) to execute arbitrary code, potentially gaining control over the affected system.  The developers addressed the vulnerability in Flowise version 3.0.6. The latest available version, 3.1.1, was released two weeks ago and includes the necessary fixes.  Flowise itself is a low-code, open-source platform used to build AI agents and large language model (LLM) workflows. It features a drag-and-drop interface that enables users to design pipelines for chatbots, automation tools, and other AI-driven systems.

Evidence of Flowise RCE Vulnerability 

According to Caitlin Condon, VP of Security Research at VulnCheck, exploitation activity has already begun. She stated:  “New hashtag#KEV: Early this morning, VulnCheck's Canary network began detecting first-time exploitation of CVE-2025-59528, a CVSS-10 arbitrary JavaScript code injection vulnerability in Flowise, an open-source AI development platform. The vulnerability resides in the CustomMCP server logic in multiple versions of Flowise and allows for code execution.”  She further noted:  “Observed activity so far originates from a single Starlink IP. Our team's ASM queries show 12,000 - 15,000 instances of Flowise on the public internet as of today. CVE-2025-59528 is patched in version 3.0.6 of Flowise.”  This suggests that while exploitation is currently limited, the attack surface remains significant due to the large number of exposed instances. 

Additional Vulnerabilities Increase Risk 

The Flowise RCE vulnerability (CVE-2025-59528) is not the only security concern affecting the platform. Researchers have also observed active exploitation of two other vulnerabilities: CVE-2025-8943 and CVE-2025-26319.  Condon emphasized that both of these flaws are included in VulnCheck’s Known Exploited Vulnerabilities (KEV) catalog and have been detected through their monitoring systems. This indicates a broader pattern of attackers targeting Flowise deployments to execute arbitrary code and gain unauthorized access.  Although estimates suggest that between 12,000 and 15,000 Flowise instances are accessible on the public internet, it remains unclear how many of these are vulnerable to CVE-2025-59528.  Even so, the presence of such a large number of exposed systems increases the likelihood of further attacks, especially as exploit techniques become more widely available. 

Recommendations for Users

Users of Flowise are strongly advised to take immediate action to mitigate the risks associated with CVE-2025-59528. Upgrading to version 3.1.1, or at a minimum version 3.0.6, is critical to patch the Flowise RCE vulnerability and prevent attackers from exploiting it to execute arbitrary code.  Additionally, organizations should evaluate whether their Flowise instances need to be publicly accessible. If external access is not required, removing these systems from the public internet can significantly reduce exposure to attacks.