AI Found GitHub's Most Dangerous Security Hole — Engineers Sealed It in Six Hours
Wiz Research used AI to uncover a critical RCE flaw in GitHub's git infrastructure; engineers patched it in under six hours with no confirmed exploitation.
Last verified:
In April 2026, security firm Wiz Research deployed AI tooling to uncover an RCE flaw in the platform’s git backend — a weakness that threatened an enormous range of repositories, public and private alike. GitHub engineers contained the vulnerability in under six hours of the report, with a forensic review confirming no prior exploitation.
AI as the Auditor: A New Discovery Model
For decades, hunting flaws in closed-source binaries has depended almost entirely on human intuition and manual reverse engineering. The Wiz Research disclosure represents a meaningful departure. According to Wiz researcher Sagi Tzadik, this stands as “one of the first critical vulnerabilities discovered in closed-source binaries using AI” — a milestone pointing to a structural shift in how security teams can interrogate opaque codebases. Wiz has not disclosed which AI model aided the investigation, but the outcome is telling: automated analysis is now capable of surfacing flaws that earn top-tier bug bounty rewards.
The Six-Hour Containment Window
GitHub Chief Information Security Officer Alexis Wales described the response as a near-textbook operation. The security team reproduced the flaw internally in under 40 minutes and confirmed its severity. Engineers then developed and deployed a patch roughly 60 minutes after pinpointing the root cause — covering the cloud service and Enterprise Server deployments alike. A subsequent forensic sweep turned up zero evidence of prior exploitation. From external report to validated fix: under six hours.
The flaw itself, despite residing in a genuinely complex system, was characterized by Wiz as “remarkably easy to exploit.” That combination — low barrier to attack, sweeping blast radius — explains why Wales called it “a critical issue that required immediate action” and why it drew one of GitHub’s highest bug bounty payouts.
Why This Matters
This incident carries two distinct signals for the industry. First, AI-assisted security research is graduating from novelty to operational capability: when automated tooling can surface a critical flaw in proprietary binaries, both offensive and defensive teams need to recalibrate their threat models. Second, the disclosure lands against a backdrop of mounting reliability questions at GitHub — including a separate episode in which some users discovered that earlier-merged commits had been silently reversed. A sub-six-hour containment window is genuinely impressive; sustaining that standard while stabilizing a platform under evident strain will be the harder test.
Frequently Asked Questions
How quickly did GitHub patch the critical vulnerability discovered by Wiz Research?
GitHub's team reproduced the flaw internally in under 40 minutes and shipped a patch roughly 60 minutes after isolating the root cause — closing the full incident in under six hours from the initial report.
How was the GitHub vulnerability discovered?
Security firm Wiz Research used AI tooling to identify the flaw, marking one of the first critical vulnerabilities found in closed-source binaries through AI-assisted research.