GitHub Git Infrastructure Flaw CVE-2026-3854 Allowed Full Read/Write Access to Private Repos via Single Command

Wiz researchers have uncovered a critical flaw in GitHub's git infrastructure that could have allowed remote attackers to gain full read/write access to any private repository with a single command. The vulnerability, tracked as CVE-2026-3854 and assigned a CVSS score of 8.8 by NIST, was disclosed this week and has already been patched by GitHub within six hours of notification. The bug represents a significant finding in the ongoing battle to secure cloud-based development platforms, which have become prime targets for supply-chain attacks.

The vulnerability stems from how GitHub's internal services handle user-supplied push option values. Push options are a legitimate feature of the git protocol designed to send key-value strings to a server, which are then packaged into internal X-Stat HTTP headers passed between services. However, Wiz discovered that these user-supplied values were blindly trusted and incorporated into the internal metadata of a push request. The metadata is separated by a null-byte delimiter, and attackers could inject this character into their push commands to trick servers into accepting it as a trusted internal value, effectively spoofing their identity and permissions.

Wiz researchers used AI-assisted by AI tools including Claude Code and IDA MCP-were able to develop a working exploit in under 48 hours, a task they reported. "By leveraging AI-augmented tooling, particularly automated reverse engineering using IDA MCP, we were able to do what was previously too costly," Wiz blogged. The team had been tinkering with GitHub for two years but had previously considered reverse-engineering its internal binaries too daunting. The AI-assisted approach allowed them to rapidly analyze compiled binaries, reconstruct internal protocols, and systematically identify where user input could influence server behavior across the entire pipeline.

The impact of the vulnerability was severe. An attacker exploiting CVE-2026-3854 could gain full read and write access to any private repository on GitHub.com or GitHub Enterprise Server (GHES). Wiz originally tested the vulnerability on GHES and found that an additional injection into an X-Stat field ensured the same exploit chain worked on GitHub.com. This meant that sensitive source code, proprietary algorithms, and confidential data stored in private repositories were at risk of exposure or tampering.

GitHub responded swiftly to the disclosure, issuing fixes within six hours and implementing additional hardening measures to prevent similar vulnerabilities from being as impactful in the future. Alexis Wales, GitHub's CISO, thanked Wiz for the discovery and confirmed that the team would receive one of the largest payouts in the history of GitHub's bug bounty program. While GitHub did not disclose the exact figure, critical vulnerabilities typically earn between $20,000 and $30,000, with the largest previous bounty being $75,000 in 2023. GitHub also confirmed that no attacker had ever carried out the attack on GitHub.com, though it advised GHES customers to check their access logs for signs of abuse.

The discovery of CVE-2026-3854 highlights a broader trend in cybersecurity: the increasing use of AI to accelerate vulnerability research. Wiz noted that in the pre-AI days, findings of this kind would have taken months of manual analysis by experienced researchers. The ability to use generic AI tools to reverse-engineer closed-source software is a double-edged sword, benefiting both defenders and attackers. As AI-assisted bug hunting becomes more accessible, the pressure on vendors to secure their infrastructure will only intensify, making rapid response and robust bug bounty programs essential components of modern security strategies.