Full compromise across tenants: In its analysis, Wiz detailed how the issue could be escalated from initial command execution to full remote code execution on affected systems.”On GitHub.com, this vulnerability allowed remote code execution on shared storage nodes. We confirmed that millions of public and private repositories belonging to other users and organizations were accessible on the affected nodes,” Tzadik said, adding that the impact was even more severe for self-hosted environments. On GitHub Enterprise Server, the vulnerability granted full server compromise, including access to all hosted repositories and internal secrets.Wiz confirmed that it did not access the contents of other tenants’ repositories while testing the exploit. ” We validated the cross-tenant exposure using only our own test accounts, confirming that the git user’s filesystem permissions would allow reading any repository on the node,” Tzadik added.GitHub shared remediation steps and full technical details in a security blog post, adding that “GitHub Enterprise Cloud, GitHub Enterprise Cloud with Enterprise Managed Users, GitHub Enterprise Cloud with Data Residency, and github.com were patched on March 4, 2026. No action is required from users of any of these.”GitHub Enterprise Server users were urged to patch immediately with fixes available for all supported versions.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4164925/critical-github-rce-bug-exposed-millions-of-repositories.html
