CVE-2026-41506
HTTP Credential Leak in go-git Smart-HTTP Operations
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go-git | go-git | to 5.18.0|end_excluding=6.0.0-alpha.2 (exc) |
| go-git | go-git | 5.18.0 |
| go-git | go-git | 6.0.0-alpha.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in go-git occurs when the library performs smart HTTP clone or fetch operations and encounters a redirect to a different host. In vulnerable versions (up to 5.17.2 and 6.0.0-alpha.1), go-git will reuse the original HTTP authentication credentials for the redirected location. This can lead to leaking sensitive information such as Authorization headers to an unintended host.
An attacker who controls or influences the redirect target could capture these credentials and misuse them to access the victim's repositories or other resources.
This issue has been fixed in versions 5.18.0 and 6.0.0-alpha.2 by introducing configurable redirect handling and safer default redirect policies.
How can this vulnerability impact me? :
If you use a vulnerable version of go-git and perform smart HTTP clone or fetch operations, your HTTP authentication credentials could be leaked to an unintended host if a redirect occurs.
An attacker controlling the redirect target could capture these credentials and potentially gain unauthorized access to your private repositories or other sensitive resources.
This could lead to unauthorized data access or repository compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the go-git library to version 5.18.0 or later, or to version 6.0.0-alpha.2 or later.
These versions introduce configurable redirect handling and default to a safer redirect policy that prevents HTTP authentication credentials from being leaked when following redirects during smart-HTTP clone and fetch operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This leakage of sensitive authentication information could potentially lead to unauthorized access to repositories or other resources.
Such unauthorized disclosure of credentials could have implications for compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and credentials. However, the provided information does not explicitly discuss or analyze the impact of this vulnerability on compliance with these or other regulations.