GitHub engineers successfully patched a critical remote code execution vulnerability in less than six hours after it was reported by security researchers, according to a report from The Verge.
The vulnerability, identified as CVE-2026-3854, was discovered by Wiz Research using AI models. The flaw resided in GitHub’s internal git infrastructure and posed a threat to millions of both public and private code repositories.
GitHub Chief Information Security Officer Alexis Wales stated that the company's security team began validating the bug bounty report immediately. "Within 40 minutes, we had reproduced the vulnerability internally and confirmed the severity," Wales said.
According to the report, GitHub's engineering team developed and deployed a fix for both GitHub.com and GitHub Enterprise Server just over an hour after identifying the root cause. Wales confirmed that within two hours, the company had validated the finding, deployed the fix, and completed a forensic investigation which showed no evidence of exploitation.
AI-driven vulnerability discovery
Wiz Research utilized AI models to identify the flaw, marking a notable shift in security research methodologies. Sagi Tzadik, a security researcher at Wiz, noted that this represents one of the first instances of a critical vulnerability being found in closed-source binaries using AI.
While the patch was deployed rapidly, Wiz researchers warned that the vulnerability was remarkably easy to exploit despite the complexity of GitHub's systems. The discovery earned one of the highest rewards available in the company's Bug Bounty program.
This security incident follows a period of instability for the service. The Verge reported that GitHub recently experienced a major outage where previously merged commits were randomly reverted, alongside other recent service disruptions. Some employees have expressed concerns regarding the company's reliability and leadership stability.
