A single git push gave RCE on GitHub's backend. An AI credential store hit within 36 hours.  ·  CYBERSIP.NET  ·  ISSUE 17
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 17 April 29, 2026 cybersip.net
Issue No. 17  ·  April 29, 2026  ·  3 active items  ·  Under 5 min read
Today's picture
GitHub disclosed a critical RCE vulnerability yesterday that Wiz researchers found in March. A single git push with crafted options gave any authenticated user code execution on GitHub's backend servers and cross-tenant access to millions of repositories. GitHub.com was patched within 75 minutes of discovery but GitHub Enterprise Server still has 88% of instances unpatched at time of disclosure. Separately, a SQL injection in LiteLLM, the widely deployed AI proxy that centralizes LLM provider credentials, was exploited within 36 hours of public disclosure. The attacker targeted the specific tables holding API keys and cloud credentials with surgical precision.
Threat snapshot
3 new · 2 monitoring
New CVSS 8.7
🔧 GitHub CVE-2026-3854. One git push gives RCE on backend servers and cross-tenant access to millions of repos.
Any authenticated user. Single command. No sandbox. GitHub.com patched. 88% of Enterprise Server instances unpatched at disclosure. Upgrade GHES to 3.19.3 or later.
New AI Infrastructure 36hr Exploit
🔑 LiteLLM SQL injection exploited within 36 hours. Attackers went straight for the LLM provider credential tables.
CVE-2026-42208 CVSS 9.3. Pre-authentication. Targets litellm_credentials and litellm_config tables. Patch to version 1.83.7. AI proxy credential stores are high-value targets.
New KEV Listed RMM
🖥 ConnectWise ScreenConnect added to CISA KEV. Second RMM platform this month confirmed exploited.
CVE-2024-1709. Critical authentication bypass. Widely deployed RMM platform. Federal deadline May 15. Patch or restrict access immediately.
Detailed intelligence
Full analysis
01 New CVSS 8.7
GitHub CVE-2026-3854. One git push gives backend RCE and cross-tenant access to millions of repositories.
CVE-2026-3854
What happened
Wiz Research disclosed CVE-2026-3854 yesterday after a coordinated disclosure process that began on March 4, 2026. The vulnerability exists in GitHub's internal git infrastructure, specifically in how its internal babeld git proxy handles user-supplied push option values. During a git push operation, any string passed via the push option flag is included verbatim in an internal semicolon-delimited X-Stat header. Because the semicolon is also used as the header's field delimiter, a crafted push option value can inject additional metadata fields that downstream services treat as trusted internal configuration. The practical impact is severe. Any authenticated GitHub user with push access to any repository can execute arbitrary commands on the backend server processing the push. On GitHub.com, because the git service runs in a shared multi-tenant environment, successful exploitation gave access to the shared storage node. Wiz confirmed they could read repositories from organizations they had no relationship with. The blast radius is effectively every repository hosted on the same backend node. GitHub received the report on March 4 and patched GitHub.com within 75 minutes of that report. Public disclosure was held until April 28 to allow GitHub Enterprise Server customers to patch. At time of disclosure, Wiz data showed 88% of GHES instances remained on vulnerable versions.
🏢
EXECUTIVE IMPACT  ·  GitHub hosts source code, secrets, deployment keys, and CI/CD pipelines for most enterprises. Cross-tenant RCE on shared backend infrastructure is not a single-organization breach. It is a class of exposure that could affect every customer on an affected node simultaneously. GHES customers need to patch before attackers reverse-engineer the now-public vulnerability details.
DON'T MISS  ·  GitHub published two posts on the same morning: one disclosing this RCE and one from the CTO apologizing for a separate reliability incident where the merge queue silently reverted 2,092 pull requests. Both stem from the same architectural pattern. Multiple services written in different languages share internal protocols where each service makes reasonable but dangerous assumptions about input from other services. The git push pipeline was not the only place this pattern exists. Any organization running GHES should treat this disclosure as a prompt to audit what other internal protocol boundaries exist in their own multi-service architectures.
CyberSip Take
The 75-minute patch-to-fix time on GitHub.com is genuinely impressive and reflects well on how GitHub handled the disclosure. The 88% unpatched GHES rate at disclosure is the other side of the same coin and reflects a structural challenge with self-hosted infrastructure. GitHub Enterprise Server customers made a deliberate choice to run their own instance in exchange for data control. That choice means they are also responsible for applying patches, and in this case the patch window between GitHub.com being fixed and the public disclosure was 55 days. Any GHES customer who was not patched within those 55 days had an unpatched critical vulnerability that attackers now know the details of. The lesson is not to move to SaaS. The lesson is that self-hosted enterprise software requires a patching cadence that matches the criticality of the software, and GitHub Enterprise Server, sitting at the center of most development pipelines, qualifies as critical.
Recommended actions
Derived from Wiz Research disclosure, GitHub Security Blog, and independent vulnerability analysis
02 New AI Infrastructure
LiteLLM SQL injection exploited within 36 hours. Attackers targeted LLM provider credential tables with surgical precision.
CVE-2026-42208
What happened
A pre-authentication SQL injection vulnerability in LiteLLM, the widely deployed open-source proxy that centralizes API routing across multiple LLM providers, was actively exploited within 36 hours of public disclosure. LiteLLM acts as a unified gateway for enterprises connecting applications to models from OpenAI, Anthropic, AWS Bedrock, and others. It stores upstream provider API keys, virtual API keys for internal billing, and proxy runtime configuration in a PostgreSQL database. The vulnerability exists in the Authorization Bearer header handling during proxy API key verification. The query mixes caller-supplied input directly into the query text rather than using parameterized queries. An unauthenticated attacker sending a crafted Authorization header to any LLM API route, including POST /chat/completions, can inject arbitrary SQL before authentication completes. The patch was included in version 1.83.7 released April 19. The vulnerability was indexed in the GitHub Advisory Database on April 24. The first exploitation attempt was recorded April 26 at 16:17 UTC, 36 hours and 7 minutes later. Sysdig documented the exploitation behavior in detail. The attacker was not running automated SQL injection tooling. They knew LiteLLM's internal database schema verbatim, referencing table and column names precisely, including litellm_credentials.credential_values and litellm_config. They ran targeted column enumeration against three specific tables that hold provider credentials and rotated between two adjacent IP addresses to reduce detection. This is a skilled operator who had already studied the target before the vulnerability was even disclosed.
🔑
EXECUTIVE IMPACT  ·  LiteLLM acts as a credential vault for your entire LLM provider stack. A breach here does not just expose one API key. It exposes the master keys to every model provider your organization has connected, plus the usage and billing data showing exactly how those models are being used internally. For companies using AI in production, this is the equivalent of compromising the password manager for the AI infrastructure team.
DON'T MISS  ·  The attacker in this incident knew the schema before the CVE was public. That means they were watching LiteLLM's repository, likely monitoring commit history and issue trackers, and built their exploit from the source code before any advisory existed. Sysdig noted the open-source schema alone was sufficient. This is a broader pattern emerging across AI infrastructure tools: because they are open source, attackers can study the internals, identify injection points, and have exploits ready before defenders have even read the advisory. Closed-source enterprise software has always had security through obscurity as a partial defense. Open-source AI tooling does not.
CyberSip Take
This is now the third AI infrastructure item this week. LMDeploy exploited in 13 hours on Monday, LiteLLM in 36 hours today. The exploitation windows are not shrinking because attackers are getting faster. They are shrinking because attackers are doing reconnaissance before disclosure and having working exploits ready before the advisory lands. The 36-hour window is the time between the GitHub advisory being indexed and the attacker pressing go, not the time between reading the advisory and writing the exploit. The actionable change this demands is treating AI infrastructure tools with the same patch urgency as production web application servers. When a vulnerability is disclosed in LiteLLM, the effective response window for organizations running it in production is measured in hours, not days. Most vulnerability management programs are not built for that cadence on tools their operations team deployed. The gap between discovery and remediation needs to close, or the credential tables those tools protect will close it for you.
Recommended actions
Derived from Sysdig threat research, LiteLLM security advisory, and national vulnerability database
03 New KEV Listed RMM
ConnectWise ScreenConnect added to CISA KEV. The second RMM platform confirmed exploited this month.
CVE-2024-1709
What happened
CISA added CVE-2024-1709, a critical authentication bypass in ConnectWise ScreenConnect, to the Known Exploited Vulnerabilities catalog today with a federal remediation deadline of May 15. ScreenConnect is a remote monitoring and management platform used by managed service providers and IT teams, comparable in deployment profile to SimpleHelp, which was added to KEV in Issue 13. The authentication bypass allows an unauthenticated attacker to create a new administrator account on unpatched instances by sending a crafted request to the setup wizard endpoint. Once the account is created, the attacker has full RMM access to every managed endpoint connected through that instance. ConnectWise patched this vulnerability in February 2024 and it was widely exploited at that time. The KEV addition today reflects confirmed renewed active exploitation, not the original 2024 campaign.
🖥
EXECUTIVE IMPACT  ·  ScreenConnect has administrative access to every endpoint it manages. An attacker who creates an admin account on an unpatched instance can deploy software, run commands, and exfiltrate data across the entire managed fleet. For MSPs this means every client. For enterprises this means every managed workstation and server. This is not a single-endpoint exposure.
DON'T MISS  ·  This is the second RMM platform in KEV this month. SimpleHelp was Issue 13. ScreenConnect is today. Both were exploited as precursors to ransomware delivery, not as end goals. Attackers are specifically selecting RMM platforms as the entry point for downstream attacks because the RMM provides authenticated access to the entire managed fleet without triggering the same alerts that a direct network intrusion would. Your RMM platform is indistinguishable from your IT team from the endpoint's perspective. Attackers have internalized this. Most security monitoring configurations have not.
CyberSip Take
CVE-2024-1709 was patched in February 2024. It appears in KEV today in April 2026 because unpatched instances still exist and attackers still find them. Two years after a widely publicized critical vulnerability with a simple exploit and thousands of affected organizations, the exploitation campaign is still active enough to warrant a federal alert. This is the recurring theme across April's brief. Old vulnerabilities stop being exploited only when they stop working. They stop working only when organizations patch. The May 15 federal deadline exists because CISA believes a significant number of organizations running ScreenConnect have not applied a two-year-old critical patch. If you use ScreenConnect or work with an MSP who does, today's action is verifying the version and access controls on that platform.
Recommended actions
Derived from CISA known-exploited vulnerability catalog and ConnectWise security advisory
Still watching
Aging items · days 2–6
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
Medtronic breach (Issue 16). Investigation ongoing. Healthcare organizations with Medtronic contracts should review HIPAA notification obligations and monitor for social engineering using device or patient details. Day 2
CrowdStrike LogScale CVE-2026-40050 (Issue 16). Self-hosted deployments on GA 1.224.0 through 1.234.0 must upgrade. SaaS customers are already protected. Day 2
FIRESTARTER Cisco firewall backdoor (Issue 15). Federal power cycle deadline was April 30. If you run affected Cisco Firepower or Secure Firewall models and have not yet acted, review CISA Emergency Directive 25-03. Day 3
Cross-source standouts
What connects this week
01
AI infrastructure is being exploited as fast as any other software category now
LMDeploy in 13 hours on Monday. LiteLLM in 36 hours today. Marimo in KEV last week. Azure SRE Agent cross-tenant exposure the week before. The pattern across April is consistent and it names something that most security programs have not yet adjusted for: tools that handle LLM routing, model deployment, and AI agent orchestration are production infrastructure, they hold production credentials, and they are being scanned and exploited at the same speed as enterprise web applications. The teams deploying this tooling need the same patch cadence and network hygiene discipline as the teams running production web servers. That alignment has not happened yet at most organizations.
02
Open source AI tools let attackers do reconnaissance before the advisory exists
Sysdig's observation that the LiteLLM attacker knew the internal schema verbatim before exploitation points to a structural reality of open source software: the attack surface is fully documented in the public repository. An attacker monitoring LiteLLM's commits, issues, and dependency updates can identify vulnerable patterns, understand the data model, and build an exploit from source code before a CVE is assigned. The advisory and the patch arrived simultaneously. The exploit arrived 36 hours later. For organizations running open-source AI infrastructure tools in production, the realistic patch window after disclosure is shorter than any weekly or biweekly patching cycle can accommodate.
Past issues · 7-day archive
Copied to clipboard
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.