Back to News
Cybersecurity

New Research Exposes Vulnerabilities in GitHub's Verified Commits System

Recent findings reveal that GitHub 'Verified' commits can be manipulated, raising concerns over the integrity of software development.

Recent research has revealed a significant flaw in GitHub's 'Verified' commit system, indicating that the hash associated with a signed Git commit is not as unique as previously believed. Attackers can create a second commit with identical files, authorship, and timestamps, while still obtaining a valid signature that GitHub marks as 'Verified.' This means that everything a reviewer might check aligns perfectly, except for the commit hash itself, which undermines the fundamental trust in the version control system.

For businesses, this discovery highlights the urgent need for a reassessment of their reliance on GitHub's verification system to ensure the integrity of their software development workflows. Organizations must consider implementing additional security measures to validate the authenticity of commits and to educate their developers about the potential risks associated with trusting verified commits blindly. This matter is particularly critical in cybersecurity and AI domains, where the integrity of code can have far-reaching consequences. A breach in trust at this fundamental level could lead to vulnerabilities being introduced into software products, making it essential for companies to adopt more rigorous verification processes to safeguard against manipulation.

---

*Originally reported by [The Hacker News](https://thehackernews.com/2026/07/github-verified-commits-can-be.html)*