Input validation error in GitPython - CVE-2026-42284
Published: April 27, 2026
Vulnerability identifier: #VU128119
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-42284
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: gitpython-developers
Affected software:
GitPython
GitPython
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper input validation in _clone() and Submodule.update() when processing user-supplied multi_options. A remote attacker can supply a specially crafted option string that is transformed by shlex.split to inject unsafe git clone options and execute arbitrary code.
The issue occurs because validation is performed on the original option list before the transformed arguments are passed to git, allowing embedded --config core.hooksPath settings to reach git during clone operations.
How to mitigate CVE-2026-42284
Install security update from vendor's website.