Wiz Research discovered CVE-2026-3854, a critical RCE vulnerability in GitHub's internal git infrastructure via X-Stat header injection, allowing authenticated users to execute arbitrary commands. On GitHub.com, the flaw accessed millions of public/private repositories; on GitHub Enterprise Server, it enabled full server compromise. GitHub patched GitHub.com within 6 hours, but 88% of GHES instances remained vulnerable at publication.
Infrastructure
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown
Wiz Research discovered CVE-2026-3854, a critical RCE vulnerability in GitHub's internal git infrastructure via X-Stat header injection, allowing authenticated users to execute arbitrary commands. On GitHub.com, the f...
Tuesday, April 28, 2026 12:00 PM UTC2 MIN READSOURCE: Hacker NewsBY sys://pipeline
Tags
infrastructure
/// RELATED
Research5d ago
GitHub: Woah, a genuinely helpful AI-assisted bug report that isn't total slop. Here, Wiz, take this wad of cash
Wiz researchers used Claude Code to discover CVE-2026-3854 (CVSS 8.8), a critical GitHub vulnerability enabling full private repo access, in 48 hours—slashing traditional analysis timelines from months and demonstrating AI's transformative impact on security research.
SafetyApr 28
GitHub Actions is the weakest link
GitHub Actions' mutable-dependency model and permissive fork defaults enabled a 2024-2026 supply chain attack wave compromising Ultralytics, nx, Trivy, and 23,000+ dependent repositories.