A high-severity vulnerability, CVE-2026-3854 (8.7 CVSS), disclosed yesterday by GitHub affects GitHub Enterprise Server and would allow a repository with push access to achieve remote code execution, according to GitHub.
GitHub said the flaw also affected github[.]com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, and GitHub Enterprise Cloud with Enterprise Managed Users, and that patches have been issued for the Cloud variants while Enterprise Server requires an authenticated user with push access to patch. Wiz reported the vulnerability on 4 March through GitHub’s bug bounty programme, and GitHub validated the finding within two hours, pushing a fix to github[.]com, with no exploitation observed.
The discovery was aided by an AI reverse-engineering tool, IDA MCP, which Wiz used to rapidly analyse GitHub’s compiled binaries and reconstruct internal protocols, a process described as previously too costly and time-consuming. Wiz’s security researcher Sagi Tzadik noted in Wiz’s blog post that the team had been pursuing this target since September 2024 and that with AI tools the exploit went from idea to working in under 48 hours.
In Wiz’s account, the closed-source nature of GitHub contributed to the risk and obscurity, but the AI models’ improvements are enabling faster reverse-engineering of closed-source binaries and exploitation from a CVE identifier and a git commit hash. The article, by Alexander Culafi, was published on 29 April 2026.