It Only Took One Git Push to Access Millions of GitHub Repos

How an X-Stat field injection in GitHub’s internal git protocol let an authenticated user reach RCE on GitHub.com and GHES using nothing but a standard git push.

May 02, 2026

∙ Paid

I use GitHub almost every day.

For personal projects, client work, experiments, and pretty much anything that involves code, GitHub is always part of my workflow. I push code, create branches, connect repos to deployment tools, and store a lot of my projects there without thinking too much about the system behind it.

So when I saw a post on X about a vuln…

Keep reading with a 7-day free trial

Subscribe to Generative AI Publication to keep reading this post and get 7 days of free access to the full post archives.