GitHub has patched a critical security vulnerability that could have exposed millions of code repositories, just hours after it was reported by researchers.
The vulnerability was identified by cybersecurity research company Wiz Research. “Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub’s internal Git infrastructure that could have affected both GitHub.com and GitHub Enterprise Server,” the company said in a blog post.
The company also stated it discovered this vulnerability using AI, describing it as “one of the first critical vulnerabilities discovered in closed-source binaries using AI, highlighting a shift in how these flaws are identified.”
Wiz stated that it was “easy to exploit,” given the damage this vulnerability could have caused.
On the side of GitHub, the company said it received a report through its Bug Bounty program from researchers at Wiz describing “a critical remote code execution vulnerability,” which affects various GitHub services.
GitHub said, “In less than two hours, we had validated the finding, deployed a fix to GitHub.com, and begun a forensic investigation that concluded there was no exploitation.” Wiz Research added that the issue was fully mitigated on GitHub.com “within 6 hours” of the initial report.
“With the root cause identified on March 4, 2026, at 5:45 p.m. UTC, our engineering team developed and deployed a fix to GitHub at 7:00 p.m. UTC that same day. The fix ensures that user-supplied push option values are properly sanitised and can no longer influence internal metadata fields,” GitHub explained.
GitHub also strongly recommended that users upgrade “to the latest patch release as soon as possible.”
Fishon Amos
