HN

Need help?
<- Back
GitHub RCE Vulnerability: CVE-2026-3854 Breakdown

GitHub RCE Vulnerability: CVE-2026-3854 Breakdown

bo0tzz

Comments (53)

  • jfkimmes
    They hint at their AI-augmented reversing methodology, which demonstrates one of the core strengths of current LLM agents. These models, trained extensively on code, can immensely speed up the process of understanding complex system internals.Security research historically has two difficult components that build on one another: 1. Understanding complex system internals: uncovering the inner workings hidden by abstractions or interfaces 2. Finding vulnerabilities in these uncovered mechanismsSometimes both steps are equally hard. But often, finding the vulnerability is trivial once the real mechanisms are uncovered, rather than relying on assumptions about inner workings.CVE-2026-3854 is a case where the vulnerability is not plainly obvious after understanding the internals. Still, I am confident that this command injection would have been found quickly had it been exposed to a more traditional or accessible attack surface.
  • jcims
    Anyone in here work at Wiz? Seem like they do pretty good work. Tool itself has survived extreme growth/feature bloat and still does pretty well. Security team has found some really cool stuff.
  • bananapub
    > April 28, 2026> GitHub Enterprise Server customers should upgrade immediately - at the time of this writing, our data indicates that 88% of instances are still vulnerable> Upgrade to GHES version 3.19.3 or laterhttps://docs.github.com/en/enterprise-server@3.19/admin/rele... :> Enterprise Server 3.19.3 - March 10, 202688% of on-prem customers haven't applied a critical security fix from 7 weeks ago, that seems ... bad.
  • angry_octet
    Another tour de force from Wiz, and a watershed moment in AI tooling enabling RE and compromise discovery.
  • latchkey
    People keep wanting to replace GitHub, but with what?If GH is getting RCE's this late in the game who wants to take the chance something else won't?
  • WASDx
    I was impressed enough by AI finding vulnerabilities in source code, but doing it in binary executables is just amazing. This has so much potential, good and bad.And yet another lesson to not treat data as instructions. Sanitize all user input!
  • halger
    Woah I wonder if they can tell if this has been exploited or not
  • formerly_proven
    This is just such an amateur hour vulnerability. Gluing strings together with no regard to what might be in them and then parsing them later...edit: I didn't mean it as a put-down of either the article or how they found the vulnerability, but it wasn't a constructive comment either way.
  • Neteam
    [dead]
  • willworktill4pm
    GitHub case will be thought in schools how to screw up almost monopolistic position in the market in couple years. This is beyond bonkers.