These guys were able to turn a simple git push command into a way to execute code on github.com's servers directly, they were able to get access other tenant's repos, including private ones.

Pretty crazy stuff.

The vulnerability was already patched.

Here is a blog post about how they did it: Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854)