DevOps Platform Updates
scanned 39d ago6Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
Critical GitHub RCE Vulnerability CVE-2026-3854 Patched
<cite index="29-14,29-15,30-3">Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub's internal git infrastructure that could have affected both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub's internal protocol, any authenticated user could execute arbitrary commands on GitHub's backend servers with a single git push command. The flaw, tracked as CVE-2026-3854 (CVSS score: 8.7), is a case of command injection that could allow an attacker with push access to a repository to achieve remote code execution on the instance.</cite> <cite index="29-9,31-14">GitHub deployed fix on GitHub.com within two hours and released patches for Enterprise Server versions.</cite>
Atlassian Security Bulletin Reports 42 High/Critical Vulnerabilities
<cite index="19-3,19-7">The vulnerabilities reported in this Security Bulletin include 39 high-severity vulnerabilities and 3 critical-severity third-party vulnerabilities, which have been fixed in new versions of our products released in the last month.</cite> <cite index="19-10,19-11">To fix all the vulnerabilities impacting your product(s), Atlassian recommends patching your instances to the latest version or one of the Fixed Versions for each product below. The listed Fixed Versions for each product are current as of May 19, 2026.</cite>
GitLab Duo False Positive Detection for SAST Launched
<cite index="1-3,1-4,1-5,1-6">When a SAST security scan runs, GitLab Duo automatically analyzes each vulnerability to determine the likelihood that it's a false positive. Detection is available for vulnerabilities from GitLab-supported SAST analyzers. Confidence score: A numerical score indicating the likelihood that the finding is a false positive. Explanation: Contextual reasoning about why the finding may or may not be a true positive.</cite> <cite index="1-9">This feature requires GitLab Duo with an active subscription.</cite>
Azure DevOps Bitbucket Integration Fixed After API Deprecation
<cite index="14-1,14-2">If you were experiencing issues integrating with Bitbucket specifically through Azure App Service, we did identify a service-side problem on April 8 related to the Bitbucket API deprecation. Our team investigated and deployed a hotfix, and the App Service Bitbucket integration should now be working normally.</cite> <cite index="14-20,14-21">Atlassian has deprecated the old "hooks & services" API that Azure Pipelines currently relies on for Bitbucket Cloud, and they're planning full removal soon. Unfortunately, there isn't a public ETA yet for when Azure DevOps Services (or Server) will switch over to the newer Bitbucket Cloud APIs.</cite>
Atlassian Introduces Confluence Remix and Partner Agents
<cite index="21-13">Confluence introduces Remix with Rovo and partner agents to turn pages into charts, infographics, prototypes, starter apps, and presentations, bringing AI-powered transformation directly into the workspace while keeping source content intact.</cite> <cite index="27-10,27-13">That linkage runs through the Teamwork Graph, the same layer of work relationships and context, built from over 100 billion data points across Atlassian, that powers agents in Jira and MCP skills for Rovo. Enable a partner's MCP server once and within minutes, teams get a ready-to-use agent in their Rovo directory, pre-configured by the partner, inheriting the permissions and context of your workspace.</cite>
GitHub Actions Security Roadmap Introduces Scoped Secrets
<cite index="8-1,8-3">The main takeaway from GitHub's 2026 Actions security roadmap is that CI/CD security is becoming more explicit, more policy-driven, and more infrastructure-aware.</cite> <cite index="8-15,8-16,8-18">GitHub plans to introduce scoped secrets so credentials can be bound more precisely to repositories, branches, environments, workflow identities, and trusted reusable workflows. Secret management will no longer automatically ride along with repository write access. This means GitHub is moving away from a model where secrets are broadly available within a repository context and toward one where access is conditional on the execution context and trust boundaries.</cite>