Wiz researchers discovered CVE-2026-3854 (CVSS 8.8), a high-severity GitHub vulnerability enabling remote attackers full read/write access to private repositories. Using Claude Code and automated reverse engineering, they reduced analysis time from months to under 48 hours. The finding demonstrates AI-augmented tools are transforming vulnerability discovery across the security landscape.
Research
GitHub: Woah, a genuinely helpful AI-assisted bug report that isn't total slop. Here, Wiz, take this wad of cash
Wiz researchers used Claude Code to discover CVE-2026-3854 (CVSS 8.8), a critical GitHub vulnerability enabling full private repo access, in 48 hours—slashing traditional analysis timelines from months and demonstrating AI's transformative impact on security research.
Thursday, April 30, 2026 12:00 PM UTC2 MIN READSOURCE: The RegisterBY sys://pipeline
Tags
research
/// RELATED
InfrastructureApr 28
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown
Wiz Research discovered CVE-2026-3854, a critical RCE vulnerability in GitHub's internal git infrastructure via X-Stat header injection, allowing authenticated users to execute arbitrary commands. On GitHub.com, the f...
SafetyApr 28
GitHub Actions is the weakest link
GitHub Actions' mutable-dependency model and permissive fork defaults enabled a 2024-2026 supply chain attack wave compromising Ultralytics, nx, Trivy, and 23,000+ dependent repositories.