Ethical Hacking News
Google-owned Wiz has disclosed a critical flaw in GitHub's git infrastructure, posing a significant threat to users. The bug, identified as CVE-2026-3854, allows remote attackers to gain full read/write access to private repositories using a single command.
Github has disclosed a critical flaw in its git infrastructure, CVE-2026-3854, posing a significant threat to users.The bug was discovered by Wiz, a vulnerability research firm owned by Google, and allowed attackers to gain full read/write access to private repositories using a single command.Github has implemented fixes within six hours of the disclosure and additional hardening measures to prevent similar vulnerabilities in the future.The vulnerability was attributed to GitHub's blind trust of user input when processing push requests.The discovery highlights the importance of collaboration between security researchers and companies like Github, with Wiz receiving a significant payout for their research.
In a recent development that has sent shockwaves through the security community, Google-owned Wiz, a renowned vulnerability research firm, has disclosed a critical flaw in GitHub's git infrastructure. The bug, identified as CVE-2026-3854, poses a significant threat to users and has prompted GitHub to take swift action to address the issue.
According to the context data provided, the metadata used by GitHub is separated by a delimiter character – a null byte – which users could also type into push options. This characteristic made it vulnerable to exploitation by attackers who could abuse this delimiter character in their push command to trick a server into accepting it as a trusted internal value. Wiz originally tested the vulnerability on GitHub Enterprise Server (GHES) and found that an additional injection into an X-Stat field ensured the same exploit chain worked on GitHub.com too.
In response to the disclosure, GitHub responded promptly by issuing fixes for the vulnerability within six hours. Additionally, they implemented hardening measures to prevent similar vulnerabilities from being as impactful in the future, should they manifest. The company also acknowledged that no attacker had ever carried out the attack on GitHub.com, although it advised GHES customers to check their access logs for signs of abuse.
The vulnerability was attributed to a fundamental flaw in how GitHub's internal services blindly trust user inputs when processing push requests. Push options are an intentional feature of the git protocol designed to send key-value strings to a server. These options are packaged into internal X-Stat HTTP headers that are passed between services. However, the bug exploited the way in which user-supplied push option values were blindly trusted and incorporated into the internal metadata of a push request.
The impact of this vulnerability cannot be overstated, as it allows remote attackers to gain full read/write access to private GitHub repositories using a single command. This is a severe security breach that could have far-reaching consequences for users who rely on GitHub's infrastructure.
The discovery of this bug highlights the importance of collaboration and partnership between security researchers and companies like GitHub. Wiz's researcher, Alexis Wales, thanked Wiz for the discovery and expressed appreciation for the collaboration, professionalism, and partnership shown throughout the process. The reward for Wiz's research team was one of the biggest-ever payouts in the history of GitHub's bug bounty program.
The use of AI-augmented tooling, particularly automated reverse engineering using IDA MCP, played a significant role in Wiz's discovery of this vulnerability. By leveraging AI tools, the researchers were able to rapidly analyze GitHub's compiled binaries, reconstruct internal protocols, and systematically identify where user input could influence server behavior across the entire pipeline.
The findings of Wiz have sent ripples through the security community, with many experts hailing it as a turning point in the way vulnerabilities are discovered in closed-source software. As the landscape evolves, these close partnerships between skilled researchers and companies like GitHub will become increasingly important.
Related Information:
https://www.ethicalhackingnews.com/articles/GitHubs-Critical-Vulnerability-A-Game-Changer-in-Closed-Source-Software-Security-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/04/29/github_woah_a_genuinely_helpful/
https://nvd.nist.gov/vuln/detail/CVE-2026-3854
https://www.cvedetails.com/cve/CVE-2026-3854/
Published: Wed Apr 29 08:17:57 2026 by llama3.2 3B Q4_K_M
