A serious vulnerability in GitHub’s Git infrastructure is a useful reminder that security boundaries do not disappear just because traffic is “internal.” CVE-2026-3854 was a remote code execution vulnerability in GitHub’s git push processing pipeline. It affected GitHub Enterprise Server and, before GitHub’s mitigation, GitHub.com and GitHub Enterprise Cloud environments. The issue was reported by Wiz through GitHub’s Bug Bounty program and publicly disclosed after fixes were available. The technical details are interesting, but the broader lesson is more important for developers: user-controlled data can remain dangerous even after it passes through authenticated workflows, internal protocols, service headers, queues, and trusted backend systems. There is also an AI security angle. Wiz described this as one of the first critical vulnerabilities discovered in closed-source binaries using AI-assisted reverse engineering.…