Wiz AI tool finds RCE flaw in GitHub Enterprise
Key insights
- IDA MCP, an AI plugin for binary reverse engineering, found a CVSS 8.7 GitHub RCE that traditional source-level review likely would have missed.
- GitHub patched github.com within two hours of Wiz's March 4 report, but 88% of Enterprise Server on-prem instances remain unpatched.
- Any user with push access to a repository can trigger the header-injection exploit, requiring no elevated privileges beyond standard contributor access.
Why this matters
AI-assisted reverse engineering has crossed a threshold where a tool like IDA MCP can systematically audit compiled binaries at scale, meaning the attack surface hidden inside closed-source and proprietary software is no longer practically obscured from either defenders or adversaries. The 88% unpatched rate on GitHub Enterprise Server on-prem instances represents a live, critical window in which any actor with push access to an enterprise repo can achieve RCE on the server hosting that organization's entire codebase. For AI practitioners and founders building on GitHub Actions or self-hosted runners, a compromised git service user is a supply-chain entry point with direct access to build artifacts, secrets, and deployment configs.
Summary
Wiz used IDA MCP, an AI plugin for reasoning over compiled binaries, to find CVE-2026-3854: a CVSS 8.7 RCE flaw in GitHub Enterprise Server and github.com.
The bug lives in GitHub's internal X-Stat header, a semicolon-delimited field for push options. Without stripping semicolons, any authenticated user with push access can overwrite trusted security fields and escalate to RCE as the git service user.
Essentially: (Wiz, GitHub) AI binary analysis found a header-injection class that source-level review missed.
- GitHub patched github.com within two hours of Wiz's March 4 report.
- 88% of Enterprise Server on-prem instances remain unpatched at coordinated disclosure.
- The attack requires only standard push access, qualifying any contributor account.
AI-augmented binary reversing is now finding CVEs at a scale human teams could not practically reach.
Potential risks and opportunities
Risks
- The 88% of unpatched GitHub Enterprise Server instances face active exploitation before administrators apply the patch, with any contributor-level account serving as the entry point
- Organizations running GitHub Enterprise Server for CI/CD pipelines face potential supply-chain compromise if the git service user can write to build artifacts, deployment configs, or secrets stores
- Wiz's public disclosure of IDA MCP's capability signals to adversarial researchers that AI-assisted binary analysis is viable at scale, likely accelerating discovery of similar header-injection CVEs in other enterprise software
Opportunities
- Binary analysis security vendors (Binarly, CENSUS, Exodus Intelligence) can position IDA MCP-style AI augmentation as a differentiator for closed-source software audits and enterprise CVE programs
- GitHub Enterprise Server resellers and managed-service providers can offer immediate patch deployment as a premium service targeting the 88% unpatched on-prem customer base
- MCP tooling vendors and IDA plugin developers have a validated commercial proof point for AI-augmented reverse engineering, likely accelerating investment in IDA MCP and similar platforms
What we don't know yet
- Whether the 88% unpatched rate has declined since Wiz's coordinated disclosure date and what GitHub's Enterprise Server forced-update or customer notification policy actually covers
- Which specific push-option fields in the X-Stat header can be overwritten beyond Wiz's published details, and whether variant injection paths exist in the same parsing code
- Whether github.com's two-hour patch closed related header-parsing paths broadly or only addressed the specific CVE-2026-3854 vector
Originally reported by darkreading.com
Read the original article →Original headline: Wiz Discloses AI-Discovered GitHub RCE — CVE-2026-3854 Lets Any Authorized Git Push Hijack Enterprise Server via Header Injection