(wiz.io) Critical RCE Vulnerability in GitHub's Git Infrastructure Discovered via AI-Augmented Reverse Engineering
-
(wiz.io) Critical RCE Vulnerability in GitHub's Git Infrastructure Discovered via AI-Augmented Reverse Engineering
Critical RCE vulnerability (CVE-2026-3854) in GitHub's git infrastructure allowed authenticated users to execute arbitrary commands on backend servers via a single git push. Affects GitHub.com and GitHub Enterprise Server (GHES), enabling cross-tenant exposure or full server compromise.
In brief - Wiz Research discovered CVE-2026-3854, a critical injection flaw in GitHub's X-Stat protocol, enabling RCE on GitHub.com and full compromise of GHES instances. GitHub patched the issue within hours, highlighting risks in multi-service architectures and AI-augmented vulnerability research.
Technically - The flaw (CVE-2026-3854) exploited unsanitized semicolons in git push options to inject arbitrary fields into the X-Stat header, overriding security-critical metadata (e.g., rails_env, custom_hooks_dir). This enabled sandbox bypass, hook directory redirection, and malicious hook injection via path traversal. On GHES, it granted full server access; on GitHub.com, RCE on shared storage nodes. Discovery leveraged AI-augmented reverse engineering tools like IDA MCP for binary analysis.
Source: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854
-
R relay@relay.infosec.exchange shared this topic
