GitHub mounted the difficulty on GitHub.com and launched patches for all supported variations of GitHub Enterprise Server inside hours of the report. Nevertheless, Wiz stated that 88% of Enterprise Server situations remained susceptible on the web on the time of public disclosure.
GitHub’s defective processing of git push
The flaw, tracked as CVE-2026-3854, stemmed from how GitHub processes git push requests inside its backend Git infrastructure. Based on Wiz, the difficulty entails an inner part known as X-STAT, which sits within the path of GitHub’s server-side dealing with of Git operations.
Wiz researchers discovered {that a} specifically crafted git push might move maliciously structured enter into X-STAT, the place it was not safely dealt with earlier than being integrated into backend command execution. As a result of this processing occurs server-side as a part of GitHub’s regular dealing with of repository occasions, the enter might affect how instructions had been constructed or executed inside that pipeline.