(wiz.io) Critical RCE Vulnerability in GitHub's Git Infrastructure Discovered via AI-Augmented Reverse Engineering
Critical RCE vulnerability (CVE-2026-3854) in GitHub's git infrastructure allowed authenticated users to execute arbitrary commands on backend servers via a single git push. Affects GitHub.com and GitHub Enterprise Server (GHES), enabling cross-tenant exposure or full server compromise.
In brief - Wiz Research discovered CVE-2026-3854, a critical injection flaw in GitHub's X-Stat protocol, enabling RCE on GitHub.com and full compromise of GHES instances. GitHub patched the issue within hours, highlighting risks in multi-service architectures and AI-augmented vulnerability research.
Technically - The flaw (CVE-2026-3854) exploited unsanitized semicolons in git push options to inject arbitrary fields into the X-Stat header, overriding security-critical metadata (e.g., rails_env, custom_hooks_dir). This enabled sandbox bypass, hook directory redirection, and malicious hook injection via path traversal. On GHES, it granted full server access; on GitHub.com, RCE on shared storage nodes. Discovery leveraged AI-augmented reverse engineering tools like IDA MCP for binary analysis.
Source: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
#Cybersecurity #ThreatIntel
O RLY CYBER
npub1sh…0kwr0
2026-04-28 16:31:05 UTC
Author Public Key
npub1shlut8mwdmfevu2nt294apayu7e0mxs5mrpfyq8v5ru4ymscg9ysx0kwr0Seen on
wss://relay.momostr.pinkPublished at
2026-04-28 16:31:05 UTCEvent JSON
{
"id": "9dedac68d65ca20ddfd6e87e351aee9c37ad7803d0eed2ed554e627cb4944181",
"pubkey": "85ffc59f6e6ed39671535a8b5e87a4e7b2fd9a14d8c29200eca0f9526e184149",
"created_at": 1777393865,
"kind": 1,
"tags": [
[
"proxy",
"https://swecyb.com/@orlysec/116483284337537623",
"web"
],
[
"t",
"threatintel"
],
[
"t",
"cybersecurity"
],
[
"proxy",
"https://swecyb.com/ap/users/116080658609901341/statuses/116483284337537623",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://swecyb.com/ap/users/116080658609901341/statuses/116483284337537623",
"pink.momostr"
],
[
"-"
]
],
"content": "(wiz.io) Critical RCE Vulnerability in GitHub's Git Infrastructure Discovered via AI-Augmented Reverse Engineering\n\nCritical RCE vulnerability (CVE-2026-3854) in GitHub's git infrastructure allowed authenticated users to execute arbitrary commands on backend servers via a single git push. Affects GitHub.com and GitHub Enterprise Server (GHES), enabling cross-tenant exposure or full server compromise.\n\nIn brief - Wiz Research discovered CVE-2026-3854, a critical injection flaw in GitHub's X-Stat protocol, enabling RCE on GitHub.com and full compromise of GHES instances. GitHub patched the issue within hours, highlighting risks in multi-service architectures and AI-augmented vulnerability research.\n\nTechnically - The flaw (CVE-2026-3854) exploited unsanitized semicolons in git push options to inject arbitrary fields into the X-Stat header, overriding security-critical metadata (e.g., rails_env, custom_hooks_dir). This enabled sandbox bypass, hook directory redirection, and malicious hook injection via path traversal. On GHES, it granted full server access; on GitHub.com, RCE on shared storage nodes. Discovery leveraged AI-augmented reverse engineering tools like IDA MCP for binary analysis.\n\nSource: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854\n\n#Cybersecurity #ThreatIntel",
"sig": "06745be961b80378d8a4907664e21314ce817693a26bd36f9a6bacdbc9ad6282ce40dbe157187e8a6bf1ae4ee41c11576b7bdeaae68cc8ccdeab5da2b4623747"
}