Wiz got RCE on the cloud version of Github.com and access to every customer environment.

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Wed, 29 Apr 2026 08:48:21 GMT

stemeerkat@cyberplace.social — Wed, 29 Apr 2026 08:48:21 GMT

@GossiTheDog this is massive, have Github made a public response?

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Wed, 29 Apr 2026 06:35:03 GMT

omegapolice@hachyderm.io — Wed, 29 Apr 2026 06:35:03 GMT

@GossiTheDog They explicitly say so in their blog post, so ... ?

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Wed, 29 Apr 2026 04:29:44 GMT

peterupfold@fosstodon.org — Wed, 29 Apr 2026 04:29:44 GMT

@GossiTheDog It’s a very Bill Clinton “depends on the meaning of the word ‘is’” approach to truth.

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 20:27:53 GMT

ketumbra@infosec.exchange — Tue, 28 Apr 2026 20:27:53 GMT

@xconde @GossiTheDog as long as they also check for abuse of the exploit and Inform you about it. Which would be handy to have a cve number attached to the report.
So, they should still fix and then notify but can't just say "cloud is not affected" if they mean, "cloud is no longer vulnerable"

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 19:57:50 GMT

spaceinvader@social.securitytheater.net — Tue, 28 Apr 2026 19:57:50 GMT

@GossiTheDog at least while I’m in charge of issuing CVEs, we won’t do this.

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 19:34:24 GMT

clickymcticker@hachyderm.io — Tue, 28 Apr 2026 19:34:24 GMT

@GossiTheDog Oh, phew. I thought this was an RCE impacting Wiz lightbulbs.

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 19:31:26 GMT

stsp@bsd.network — Tue, 28 Apr 2026 19:31:26 GMT

@henryk @GossiTheDog I was hoping for an exciting eyploit and was left rather disappointed

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 19:05:57 GMT

laurento@fosstodon.org — Tue, 28 Apr 2026 19:05:57 GMT

@GossiTheDog Totally

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 19:04:24 GMT

henryk@chaos.social — Tue, 28 Apr 2026 19:04:24 GMT

@GossiTheDog A header injection? In *this* economy?!

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 18:59:59 GMT

drwho@masto.hackers.town — Tue, 28 Apr 2026 18:59:59 GMT

@GossiTheDog Can I quote you on that?

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 18:59:08 GMT

xavier@infosec.exchange — Tue, 28 Apr 2026 18:59:08 GMT

@GossiTheDog Here's a non-Twitter link: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 18:58:56 GMT

systemadminihater@cyberplace.social — Tue, 28 Apr 2026 18:58:56 GMT

@GossiTheDog You're describing the Microsoft method

Reply to Wiz got RCE on the cloud version of Github.com and access to every customer environment. on Tue, 28 Apr 2026 18:58:12 GMT

gossithedog@cyberplace.social — Tue, 28 Apr 2026 18:58:12 GMT

Almost every time a SaaS supplier tells you a CVE in their product doesn't apply to their SaaS version.. it means they patched it before issuing the CVE.