Full Report
Claude ploughs through months of work in rapid time, helps Wiz researchers nab lucrative award
Analysis Summary
# Vulnerability: GitHub Internal Services Metadata Injection
## CVE Details
- **CVE ID:** CVE-2026-3854
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-88 (Improper Neutralization of Argument Delimiters), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** GitHub Enterprise Server (GHES) and GitHub.com infrastructure.
- **Versions:** Vulnerable versions prior to late April 2026.
- **Configurations:** Systems utilizing internal git infrastructure that processes "push options" and passes them via internal HTTP headers (X-Stat).
## Vulnerability Description
The flaw stems from a lack of input validation in GitHub’s internal services when processing git "push options." These options are intended to be key-value strings sent to the server. GitHub’s architecture packages these options into internal `X-Stat` HTTP headers for communication between microservices.
The system blindly trusted user-supplied push option values and failed to sanitize the **null byte** delimiter character. By injecting a null byte into a push option, an attacker could terminate the intended string and inject unauthorized values into the internal metadata. This allowed an attacker to trick the server into accepting malicious commands as trusted internal signals, ultimately providing full read/write access to private repositories.
## Exploitation
- **Status:** PoC developed by researchers; no evidence of exploitation in the wild (confirmed by GitHub CISO).
- **Complexity:** Low (Once reverse-engineered, it can be executed with a single command).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full read access to private repositories).
- **Integrity:** High (Full write access to private repositories).
- **Availability:** Low (Primary impact is data unauthorized access/modification).
## Remediation
### Patches
- GitHub applied fixes to GitHub.com within six hours of disclosure.
- **GitHub Enterprise Server (GHES):** Customers should update to the latest patched version released following the April 2026 disclosure.
### Workarounds
- No specific workarounds were provided; immediate patching of GHES instances is the recommended course of action.
## Detection
- **Indicators of Compromise:** Unusual null byte characters or injected fields within git push option logs.
- **Detection Methods:** GHES customers are advised to review access logs for signs of abuse or anomalous metadata patterns in push requests.
## References
- **Wiz Official Blog:** hxxps[://]www[.]wiz[.]io/blog/github-rce-vulnerability-cve-2026-3854
- **GitHub Security Advisory:** (Check internal GitHub GHES advisory portal)
- **GitHub Reward History:** hxxps[://]github[.]blog/security/vulnerability-research/10-years-of-the-github-security-bug-bounty-program/