DevOps Pulse

GitHub patched high-severity RCE vulnerability CVE-2026-3854 affecting authenticated users

while Azure SRE Agent exposed live command streams through unauthenticated WebSocket endpoints with CVSS 8.6. Rubrik launched Ruby AI agent for automated recovery workflows, directly challenging Veeam's Data Command Center positioning with natural language recovery commands. Supply chain attacks compromised Trivy vulnerability scanner with credential-stealing malware, creating self-reinforcing attack loops in CI/CD pipelines where security tools become the weapons.

Signals
27
Sections
5/5
Threats
8
Fresh
15
Updated
51d ago
Show

DevOps Platform Updates

scanned 52d ago8

Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.

GitHub CVE-2026-3854 High-Severity RCE Vulnerability Fixed

GitHub patched CVE-2026-3854, a high-severity remote code execution flaw affecting crafted git push requests. Wiz researchers disclosed the vulnerability on March 4, with GitHub moving quickly to fix it. The flaw could have allowed authenticated users with push access to achieve arbitrary code execution, potentially accessing repositories belonging to other users on shared storage nodes.

githubMean CEO Blog·3 MayRecent

Microsoft Agent 365 Runtime Protection Generally Available

Microsoft released Agent 365 Runtime Protection (public preview) on April 30, 2026, providing runtime protection for AI agents across the ecosystem. The release also includes AI Security Posture Management in Defender for Cloud, enhanced AI-code scanning in GitHub Advanced Security, and AI Data Security Investigations in Microsoft Purview, addressing new threats from autonomous software agents.

azure-devopsWindows News·1 MayRecent

GitLab 18.11 Agentic SAST Vulnerability Resolution GA

GitLab released version 18.11 on April 16, 2026, making Agentic SAST Vulnerability Resolution generally available to automatically resolve SAST vulnerabilities without leaving GitLab. The update also includes two new GitLab Duo Agent Platform foundational agents for CI and analytics, along with budget guardrails and usage caps for GitLab Credits.

gitlabGitLab Releases·16 Apr

GitHub Security Lab Taskflow Agent Open-Sourced

GitHub Security Lab announced the open source Taskflow Agent framework in January 2026 for collaborative AI-powered security research. The framework uses natural language to encode and share security knowledge, building on CodeQL with Model Context Protocol interfaces. It's designed for community-powered vulnerability discovery and elimination.

githubGitHub Blog·20 Jan

Bitbucket OAuth 2.0 Security Changes Enforced May 4

Bitbucket Cloud enforced OAuth and token-authentication changes on May 4, 2026, to improve security and align with OAuth standards. Changes include stopping refresh token issuance for client credentials grants, restricting personal workspace OAuth consumers to workspace data only, and deprecating OAuth 1.0 and implicit grant flows with brownouts through March 14.

bitbucketBitbucket Cloud Changelog·4 MayNEW

CVE-2026-32173 Azure SRE Agent Command Stream Exposure

A high-severity vulnerability (CVSS 8.6) in the Azure SRE Agent exposed live command streams through an unauthenticated WebSocket endpoint, allowing any Entra ID account holder access. This was part of a broader pattern of agentic AI security issues identified in May 2026, highlighting critical implementation gaps in autonomous agent deployment.

azure-devopsAdversa AI·4 MayNEW

ExternalSecrets CVE-2026-42876 Privilege Escalation Fixed

GitLab Advisory reported CVE-2026-42876 on May 8, 2026, affecting ExternalSecrets which allowed users to craft Service Account tokens for misconfigured Service Accounts in accessible namespaces. This medium-severity vulnerability (CVSS 5.1) affects all versions from 0.1.0 before 2.4.1 and requires upgrade to version 2.4.1 or above for remediation.

gitlabGitLab Advisories·8 MayRecent

GitHub AI-Powered Bug Detection Expanded to More Languages

GitHub announced AI-powered vulnerability detection for Code Security in March 2026, expanding coverage beyond CodeQL to include Shell/Bash, Dockerfiles, Terraform, PHP, and other ecosystems. Internal testing showed 80% positive developer feedback over 170,000 findings in 30 days, with Copilot Autofix reducing resolution time from 1.29 hours to 0.66 hours on average.

githubBleepingComputer·25 Mar