Security research firm Wiz disclosed on April 28 a critical remote code execution (RCE) vulnerability in GitHub’s internal git infrastructure, designated CVE-2026-3854. The flaw allows any authenticated GitHub user to execute arbitrary commands on GitHub’s backend servers through a single standard git push command.

Vulnerability Details

The vulnerability stems from an injection flaw in GitHub’s internal X-Stat header protocol. When users push code to GitHub via SSH, requests pass through multiple internal service components: babeld (git proxy entry point), gitauth (authentication service), gitrpcd (internal RPC server), and the pre-receive hook (security enforcement).

These components communicate security metadata via the X-Stat header, which uses semicolon-delimited key-value pairs. The critical issue is that babeld copies user-controlled git push option values directly into the X-Stat header without sanitizing semicolons. Attackers can inject malicious values containing semicolons in their push options, creating new attacker-controlled fields.

Because the X-Stat header uses “last-write-wins” semantics, attacker-injected fields silently override legitimate security fields. The research team mapped multiple injectable security-critical fields, including rails_env (controls hook execution path), custom_hooks_dir (hook script directory), and repo_pre_receive_hooks (pre-receive hook definitions).

Exploitation Chain

The exploitation chain consists of three injection steps:

  1. Bypass the sandbox: Inject a non-production rails_env value to switch from the sandboxed production path to an unsandboxed direct execution mode.
  2. Redirect hook directory: Inject custom_hooks_dir to control the base directory where the binary looks up hook scripts.
  3. Inject hook definition: Inject a crafted hook entry with a path traversal sequence, ultimately executing arbitrary binaries on the filesystem.

On GitHub Enterprise Server (GHES), the full chain grants complete control over the instance, including all hosted repositories and internal secrets. On GitHub.com, the vulnerability allows remote code execution on shared storage nodes — the team confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes.

AI-Assisted Discovery

Notably, this is one of the first critical vulnerabilities discovered in closed-source binaries using AI. The Wiz team leveraged AI-augmented tooling — particularly automated reverse engineering using IDA MCP — to rapidly analyze GitHub’s compiled binaries, reconstruct internal protocols, and systematically identify where user input could influence server behavior across the entire pipeline.

Patch Status

GitHub mitigated the issue on GitHub.com within 6 hours of the report and released patches for all supported GHES versions. However, data at the time of disclosure indicated that 88% of GHES instances remained vulnerable. GitHub Enterprise Server customers are urged to upgrade to version 3.19.3 or higher immediately.

GitHub CISO Alexis Wales stated: “A finding of this caliber and severity is rare, earning one of the highest rewards available in our Bug Bounty program.”

Source: Wiz Blog