GitHub RCE Flaw Could Have Exposed Millions of Private Repos #cybersecurity #github #bugbounty

A single git push command could have given an attacker access to millions of private GitHub repositories. Wiz Research found the flaw, and GitHub patched it in under two hours. CVE-2026-3854 is a critical vulnerability in GitHub's internal git proxy, babeld. When processing push options, babeld embedded user-supplied values into an internal header without sanitizing semicolons — the same character used as the field delimiter. Using last-write-wins parsing, an attacker could override security-critical settings with a single push, chaining three overrides to achieve code execution on shared backend storage nodes. GitHub's multi-tenant architecture meant one compromised node exposed every repository stored on it. Wiz reported the flaw on March 4, 2026, and GitHub's security team reproduced it within 40 minutes and deployed a fix in under two hours. GitHub's forensic investigation found no evidence of exploitation. GitHub Enterprise Server patches are available, but according to Wiz, roughly 88% of reachable instances were still unpatched as of April 28th. Sources: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854 https://github.blog/security/securing-the-git-push-pipeline-responding-to-a-critical-remote-code-execution-vulnerability/ https://www.bleepingcomputer.com/news/security/github-fixes-rce-flaw-that-gave-access-to-millions-of-private-repos/ More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday.