Full Report
Claude ploughs through months of work in rapid time, helps Wiz researchers nab lucrative award Wiz researchers are set for a tidy payday thanks to their discovery of a high-severity flaw in GitHub's git infrastructure that handed remote attackers full read/write access to private GitHub repositories using a single command.…
Analysis Summary
# Vulnerability: GitHub Internal Service Metadata Injection via Push Options
## CVE Details
- **CVE ID:** CVE-2026-3854
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-88 (Improper Neutralization of Argument Delimiters), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** GitHub.com and GitHub Enterprise Server (GHES)
- **Versions:** All versions prior to the April 2026 security update.
- **Configurations:** Systems utilizing "push options" (git protocol feature) that process user-supplied key-value strings.
## Vulnerability Description
The vulnerability stems from a flaw in how GitHub's multi-service architecture processes "push options"—intentional key-value strings sent during a `git push`. These options are packaged into internal `X-Stat` HTTP headers for communication between internal services.
The system blindly trusted user-supplied values and failed to sanitize the null byte (`\0`) delimiter. By injecting a null byte followed by malicious metadata into a push command, an attacker could "break out" of the user-controlled field and inject arbitrary values into internal metadata. This allowed a remote attacker to impersonate highly privileged internal services, gaining full read/write access to any private repository.
## Exploitation
- **Status:** PoC developed by researchers; no evidence of exploitation in the wild according to GitHub.
- **Complexity:** Medium (Historically High, but reduced via AI-assisted reverse engineering).
- **Attack Vector:** Network (Single `git push` command).
## Impact
- **Confidentiality:** High (Full read access to private repositories).
- **Integrity:** High (Full write access to private repositories/source code).
- **Availability:** Low (Primary impact is data compromise and unauthorized access).
## Remediation
### Patches
- **GitHub.com:** Patched by vendor (April 2026).
- **GitHub Enterprise Server (GHES):** Patched versions released. Customers should update to the latest maintenance release immediately.
### Workarounds
- No specific workarounds were provided; immediate patching of GHES instances is the recommended course of action. GitHub has implemented internal hardening to prevent similar "delimiter injection" attacks.
## Detection
- **Indicators of Compromise:** Unusual metadata values in `X-Stat` headers or push logs containing null bytes or unexpected key-value pairs.
- **Detection methods and tools:** GHES administrators should audit access logs for anomalous push options and verify repository integrity for unauthorized modifications.
## References
- **Vendor Advisory:** hxxps[://]github[.]blog/news-insights/
- **Wiz Research Blog:** hxxps[://]www[.]wiz[.]io/blog/github-rce-vulnerability-cve-2026-3854
- **GitHub Security News:** hxxps[://]github[.]blog/security/vulnerability-research/