GitHub RCE (CVE-2026-3854) - Deep Dive & Lessons Learned
In this video, I do a deep dive into CVE-2026-3854 — a critical RCE in GitHub's internal git infrastructure — where a single git push command with a carefully crafted option was enough to gain code execution on GitHub's backend and access millions of private repositories belonging to other customers. This is part of the Lessons Learned series, where we take real-world vulnerabilities and extract design lessons you can apply when building or reviewing your own systems. We go through the exploit chain, the root cause (a missing input sanitization on git push options), and the lessons we can take from this as application security engineers: 🔹 Input validation: simple but powerful, and it protects against far more than just this vulnerability class 🔹 Tools are useful but not sufficient: why SAST wouldn't have caught this, and what to do instead 🔹 Least privilege: how scoping down credentials limits blast radius even when RCE is possible 🔹 Tenant isolation at the platform level: when application-level protection isn't enough, and the real trade-offs GitHub faced 📌 Read more: Read on Medium: / github-rce-cve-2026-3854-deep-dive-lessons... CVE Writeup: https://www.wiz.io/blog/github-rce-vu... GitHub's Fix: https://github.blog/security/securing... GitHub Fork Deduplication: https://github.blog/open-source/git/c... GitHub Resilience: https://github.blog/engineering/infra... ⏱️ Chapters: 00:00:00 Intro 00:00:21 What is the Lessons Learned Series? 00:01:04 Vulnerability Overview & Impact 00:02:09 How git push Works (Architecture) 00:05:43 The Vulnerability: X-Stat Option Injection 00:08:01 Escalation to RCE (Pre-Receive Hook) 00:09:38 Extending the Attack to GitHub.com 00:10:36 GitHub's Fix 00:12:02 Lesson #1: Input Validation 00:14:20 Lesson #2: Tools Are Useful but Not Sufficient 00:16:37 Lesson #3: Apply Least Privilege 00:17:35 Lesson #4: Tenant Isolation — Application vs. Platform Level 00:19:37 Tenant Isolation — A Practical Example 00:22:03 GitHub's Trade-offs: When the Secure Option Isn't the Best Option 00:30:56 Recap #AppSec 🛡️ #ApplicationSecurity 🔐 #SecurityEngineering 🧠 #DevSecOps ⚙️ #ThreatModeling 🧩 #SecureByDesign 🏗️#CyberSecurity 🛡️#Software 👨🏻💻
Attacking AI - Jason Haddix - NDC Security 2026
What is GitHub Actions | Build Your First Workflow from Scratch
I Hacked This Temu Router. What I Found Should Be Illegal.
Zig 2026: No-AI Policy, $670K Foundation, Left GitHub & Why Zig Isn’t 1.0 - Andrew Kelley Explains
Sebastián Ramirez What's New in FastAPI - PyAI Conf 2026
They Lied to You About AI (This Study Proves It)
How to Use "AI" For Security Code Reviews
Passkeys Explained: Are They Actually Better Than Passwords?
How to Detect a Fake Cell Tower Spying on Your Phone (Stingray)
What AppSec Engineers Actually Do (and Why It Matters)
Knife Expert: Real Knife Defense Is TERRIFYING
Git & GitHub Tutorial | Visualized Git Course for Beginner & Professional Developers in 2024
First findings from Project Glasswing
A Hacker's Way of Thinking (with Ted Harrington)
Complete GitHub Actions Course - From BEGINNER to PRO
NVIDIA Just Slapped Apple Silicon - RTX Spark
🚗 BYD : The biggest SCAM of the car industry ?
NVIDIA's Hostile Takeover
AI-Assisted Coding Tutorial – OpenClaw, GitHub Copilot, Claude Code, CodeRabbit, Gemini CLI
