GitHub fastened the problem on GitHub.com and launched patches for all supported variations of GitHub Enterprise Server inside hours of the report. Nonetheless, Wiz stated that 88% of Enterprise Server situations remained weak on the web on the time of public disclosure.
GitHub’s defective processing of git push
The flaw, tracked as CVE-2026-3854, stemmed from how GitHub processes git push requests inside its backend Git infrastructure. In accordance with Wiz, the problem entails an inner part known as X-STAT, which sits within the path of GitHub’s server-side dealing with of Git operations.
Wiz researchers discovered {that a} specifically crafted git push might cross maliciously structured enter into X-STAT, the place it was not safely dealt with earlier than being included into backend command execution. As a result of this processing occurs server-side as a part of GitHub’s regular dealing with of repository occasions, the enter might affect how instructions had been constructed or executed inside that pipeline.