{"id":16152,"date":"2026-04-29T11:51:29","date_gmt":"2026-04-29T11:51:29","guid":{"rendered":"https:\/\/newestek.com\/?p=16152"},"modified":"2026-04-29T11:51:29","modified_gmt":"2026-04-29T11:51:29","slug":"critical-github-rce-bug-exposed-millions-of-repositories","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16152","title":{"rendered":"Critical GitHub RCE bug exposed millions of repositories"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>A critical remote code execution (RCE) vulnerability in GitHub could potentially allow attackers to execute arbitrary code on GitHub.com and GitHub Enterprise Server.<\/p>\n<p>Uncovered by Wiz researchers, the now-patched bug exploited how GitHub handles server-side \u201cgit push\u201d operations. By crafting malicious input within a standard <a href=\"https:\/\/git-scm.com\/docs\/git-push\" target=\"_blank\" rel=\"noreferrer noopener\">Git push<\/a>, an authenticated user could execute arbitrary commands via GitHub\u2019s backend Git processing pipeline.<\/p>\n<p>GitHub acknowledged the severity of the finding, with CISO <a href=\"https:\/\/www.linkedin.com\/in\/alexis-wales-github-security\/\" target=\"_blank\" rel=\"noreferrer noopener\">Alexis Wales<\/a> noting, \u201cA finding of this caliber and severity is rare, earning one of the highest rewards available in our Bug Bounty program.\u201d<\/p>\n<p>GitHub fixed the issue on GitHub.com and released patches for all supported versions of GitHub Enterprise Server within hours of the report. However, Wiz said that 88% of Enterprise Server instances remained vulnerable on the internet at the time of public disclosure.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>GitHub\u2019s faulty processing of git push<\/h2>\n<p>The flaw, tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-3854\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2026-3854<\/a>, stemmed from how GitHub processes git push requests within its backend Git infrastructure. According to Wiz, the issue involves an internal component referred to as X-STAT, which sits in the path of GitHub\u2019s server-side handling of <a href=\"https:\/\/www.csoonline.com\/article\/4164250\/critical-cursor-bug-could-turn-routine-git-into-rce.html\">Git <\/a>operations.<\/p>\n<p>Wiz researchers found that a specially crafted git push could pass maliciously structured input into X-STAT, where it was not safely handled before being incorporated into backend command execution. Because this processing happens server-side as part of GitHub\u2019s normal handling of repository events, the input could influence how commands were constructed or executed within that pipeline.<\/p>\n<p>The flaw received a near-critical CVSS rating of 8.8 out of 10, and was fixed in GitHub Enterprise Server versions 3.14.25 through 3.20.0. The flaw was categorized by GitHub as a \u201ccommand injection\u201d issue, resulting from \u201cimproper neutralization of special elements used in a command.\u201d<\/p>\n<p>AI was reportedly used in finding this flaw, using the<a href=\"https:\/\/plugins.hex-rays.com\/mxiris-reverse-engineering\/ida-mcp-server\"> IDA MCP<\/a> (AI-augmented) reverse engineering tooling. \u201cThis is one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified,\u201d Wiz researcher <a href=\"https:\/\/www.linkedin.com\/in\/sagi-tzadik-95b3a7194\/\" target=\"_blank\" rel=\"noreferrer noopener\">Sagi Tzadik<\/a> said in a blog<a href=\"https:\/\/www.wiz.io\/blog\/github-rce-vulnerability-cve-2026-3854\"> post<\/a>. \u201cDespite the complexity of the underlying system, the vulnerability is remarkably easy to exploit.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Full compromise across tenants<\/h2>\n<p>In its analysis, Wiz detailed how the issue could be escalated from initial command execution to full remote code execution on affected systems.<\/p>\n<p>\u201cOn GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes,\u201d Tzadik said, adding that the impact was even more severe for self-hosted environments. On GitHub Enterprise Server, the vulnerability granted full server compromise, including access to all hosted repositories and internal<a href=\"https:\/\/www.csoonline.com\/article\/4052826\/ghostaction-campaign-steals-3325-secrets-in-github-supply-chain-attack.html\"> secrets<\/a>.<\/p>\n<p>Wiz confirmed that it did not access the contents of other tenants\u2019 repositories while testing the exploit. \u201c We validated the cross-tenant exposure using only our own test accounts, confirming that the git user\u2019s filesystem permissions would allow reading any repository on the node,\u201d Tzadik added.<\/p>\n<p>GitHub shared remediation steps and full technical details in a <a href=\"https:\/\/github.blog\/security\/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">security blog<\/a> post, adding that \u201cGitHub Enterprise Cloud, GitHub Enterprise Cloud with Enterprise Managed Users, GitHub Enterprise Cloud with Data Residency, and github.com were patched on March 4, 2026. No action is required from users of any of these.\u201d<\/p>\n<p>GitHub Enterprise Server users were urged to patch immediately with fixes available for all supported versions.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A critical remote code execution (RCE) vulnerability in GitHub could potentially allow attackers to execute arbitrary code on GitHub.com and GitHub Enterprise Server. Uncovered by Wiz researchers, the now-patched bug exploited how GitHub handles server-side \u201cgit push\u201d operations. By crafting malicious input within a standard Git push, an authenticated user could execute arbitrary commands via GitHub\u2019s backend Git processing pipeline. GitHub acknowledged the severity of&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=16152\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16152","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16152"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16152\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}