A single git push command was enough to hijack GitHub's backend infrastructure and read millions of private and public repositories belonging to other users and organizations, researchers at cloud security firm Wiz disclosed Tuesday.
The vulnerability, tracked as CVE-2026-3854 (CVSS 8.7), affected GitHub.com, GitHub Enterprise Server, GitHub Enterprise Cloud, and GitHub Enterprise Cloud with Data Residency or Enterprise Managed Users. Wiz researchers reported the flaw to GitHub on March 4, and the company deployed a fix to GitHub.com within six hours.
Patches for Enterprise Server followed on March 10.
Nearly two months later, 88% of Enterprise Server instances remain vulnerable, according to Wiz data. The bug exploited an injection flaw in GitHub's internal X-Stat header, a semicolon-delimited metadata format that passes security-critical configuration between backend services. Git push options -- arbitrary strings users send with git push -o -- were copied into this header without sanitizing semicolons, allowing an attacker to inject fields that override security controls.
The exploitation chain required three injections: overriding rails_env to bypass the sandbox, redirecting custom_hooks_dir to control where the server looks for hook scripts, and injecting a path traversal payload through repo_pre_receive_hooks to execute arbitrary binaries as the git system user. On GitHub.com, the same chain worked after injecting one additional field -- an enterprise mode flag that defaults to "false" on the cloud platform but was equally injectable through the same mechanism.
"With unsandboxed code execution as the git user. We had full control over the GHES instance, including filesystem read/write access and visibility into internal service configuration."
Wiz researcher Sagi Tzadik said. The impact was compounded by GitHub's multi-tenant architecture. Code execution on shared storage nodes gave Wiz researchers access to millions of repository index entries belonging to other organizations and users -- a cross-tenant breach that GitHub's infrastructure is designed to prevent.
GitHub has conducted a forensic investigation and found no evidence the vulnerability was exploited in the wild.
This is one of the first critical vulnerabilities discovered in closed-source binaries using AI-improved tooling. Wiz used automated reverse engineering through IDA MCP to rapidly analyze GitHub's compiled binaries, reconstruct internal protocols, and identify where user input could influence server behavior across the multi-service pipeline -- work that previously required impractical manual effort.
GitHub CISO Alexis Wales called the finding "rare," noting it earned one of the highest rewards in GitHub's Bug Bounty program.
"When multiple services written in different languages pass data through a shared internal protocol, the assumptions each service makes about that data become a critical attack surface."
Wiz said.
