Wiz — GitHub CVE-2026-3854 RCE via Single Git Push
AI relevance: This critical GitHub infrastructure flaw was discovered using AI-augmented reverse engineering (IDA MCP), and GitHub is the primary code destination for every AI coding agent — Claude Code, Cursor, Codex, and Copilot all push through this same pipeline.
What happened
- Wiz Research uncovered CVE-2026-3854, a critical remote code execution vulnerability (CVSS 8.7) in GitHub's internal git infrastructure affecting both GitHub.com and GitHub Enterprise Server (GHES).
- Any authenticated user could execute arbitrary commands on GitHub's backend servers with a single
git pushcommand — using nothing but a standard git client. - The vulnerability is an injection flaw in GitHub's internal
X-Statheader, which carries security-critical metadata between services. User-controlled git push options (git push -o) were copied into this header without semicolon sanitization. - Because the header uses last-write-wins semantics for duplicate keys, attackers could inject and override security fields like
push_option_count, bypassing policy enforcement. - On GitHub.com, this allowed RCE on shared storage nodes where millions of public and private repositories from other organizations were accessible.
- On GHES, the same vulnerability grants full server compromise including all hosted repositories and internal secrets.
- GitHub mitigated the issue on GitHub.com within 6 hours of the report and released patches for all supported GHES versions.
- At time of disclosure, 88% of GHES instances remain unpatched and vulnerable.
- Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI-assisted tooling — Wiz leveraged automated reverse engineering via IDA MCP to analyze GitHub's compiled binaries and reconstruct internal protocols.
Why it matters
AI coding agents now push code to GitHub at scale — every Claude Code session, every Cursor agent, every automated PR lands through this exact pipeline. A vulnerability in GitHub's push processing infrastructure represents a direct risk to the AI development supply chain. An attacker with any GitHub account could have gained access to other organizations' repositories on shared infrastructure. For self-hosted GHES, full server compromise means every codebase, CI secret, and deployment key is exposed.
What to do
- GHES administrators: Upgrade immediately to version 3.19.3 or later (fixed versions: 3.14.24, 3.15.19, 3.16.15, 3.17.12, 3.18.6, 3.19.3).
- Wiz customers: Use the pre-built Threat Center query to identify vulnerable GHES instances in your environment.
- Organizations relying on AI coding agents: Treat GitHub infrastructure vulnerabilities as part of your AI supply-chain risk assessment — the agents depend on GitHub's integrity.