SB2026042793 - Multiple vulnerabilities in GitPython
Published: April 27, 2026 Updated: May 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-42284)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in _clone() and Submodule.update() when processing user-supplied multi_options. A remote attacker can supply a specially crafted option string that is transformed by shlex.split to inject unsafe git clone options and execute arbitrary code.
The issue occurs because validation is performed on the original option list before the transformed arguments are passed to git, allowing embedded --config core.hooksPath settings to reach git during clone operations.
2) OS Command Injection (CVE-ID: CVE-2026-42215)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to command injection in Repo.clone_from(), Remote.fetch(), Remote.pull(), and Remote.push() when processing attacker-controlled kwargs that are normalized into unsafe Git options. A remote user can supply crafted upload_pack or receive_pack values to execute arbitrary code.
The issue occurs because underscore-form kwargs bypass the unsafe-option check before being converted into dangerous command-line flags, and it does not require a malicious repository.
Remediation
Install update from vendor's website.