“On GitHub.com, this vulnerability allowed distant code execution on shared storage nodes. We confirmed that thousands and thousands of private and non-private repositories belonging to different customers and organizations have been accessible on the affected nodes,” Tzadik stated, including that the influence was much more extreme for self-hosted environments. On GitHub Enterprise Server, the vulnerability granted full server compromise, together with entry to all hosted repositories and inner secrets and techniques.
Wiz confirmed that it didn’t entry the contents of different tenants’ repositories whereas testing the exploit. “ We validated the cross-tenant publicity utilizing solely our personal check accounts, confirming that the git consumer’s filesystem permissions would permit studying any repository on the node,” Tzadik added.
GitHub shared remediation steps and full technical particulars in a security weblog submit, including that “GitHub Enterprise Cloud, GitHub Enterprise Cloud with Enterprise Managed Customers, GitHub Enterprise Cloud with Data Residency, and github.com have been patched on March 4, 2026. No motion is required from customers of any of those.”
