Wiz Research found a remote code execution vulnerability in GitHub's git infrastructure that let any authenticated user run arbitrary commands on GitHub's backend servers. One git push. That's all it took. The flaw, tracked as CVE-2026-3854, exploited a semicolon injection in GitHub's internal X-Stat header protocol, allowing attackers to override security policies like file size limits. On GitHub.com, this meant access to millions of public and private repositories on shared storage nodes. On GitHub Enterprise Server, it meant full server compromise, including internal secrets.
The discovery method matters here too. Wiz used IDA MCP, a tool that connects large language models to IDA Pro for automated reverse engineering of compiled binaries. The AI agent queried the disassembly database, tracing function signatures and control flow to correlate user-controlled git packets with dangerous system calls. Researcher Sagi Tzadik says this is one of the first critical vulnerabilities found in closed-source binaries using AI-augmented tooling. Concrete proof that MCP-powered agents can do real security work.
GitHub fixed GitHub.com within six hours of the report and released patches for GitHub Enterprise Server on March 10, 2026. As of April 28, 88% of GHES instances remained unpatched. Enterprise patching is painfully slow. GitHub CISO Alexis Wales called it one of the highest bug bounty rewards the company has ever paid, praising the collaboration with Wiz. If you're running GHES, upgrade to version 3.19.3 or later immediately.