CVE-2026-41506
Undergoing Analysis Undergoing Analysis - In Progress
HTTP Credential Leak in go-git Smart-HTTP Operations

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41506
EUVD
EUVD-2026-28596
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
go-git go-git to 5.18.0|end_excluding=6.0.0-alpha.2 (exc)
go-git go-git 5.18.0
go-git go-git 6.0.0-alpha.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in go-git occurs when the library performs smart HTTP clone or fetch operations and encounters a redirect to a different host. In vulnerable versions (up to 5.17.2 and 6.0.0-alpha.1), go-git will reuse the original HTTP authentication credentials for the redirected location. This can lead to leaking sensitive information such as Authorization headers to an unintended host.

An attacker who controls or influences the redirect target could capture these credentials and misuse them to access the victim's repositories or other resources.

This issue has been fixed in versions 5.18.0 and 6.0.0-alpha.2 by introducing configurable redirect handling and safer default redirect policies.

Impact Analysis

If you use a vulnerable version of go-git and perform smart HTTP clone or fetch operations, your HTTP authentication credentials could be leaked to an unintended host if a redirect occurs.

An attacker controlling the redirect target could capture these credentials and potentially gain unauthorized access to your private repositories or other sensitive resources.

This could lead to unauthorized data access or repository compromise.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the go-git library to version 5.18.0 or later, or to version 6.0.0-alpha.2 or later.

These versions introduce configurable redirect handling and default to a safer redirect policy that prevents HTTP authentication credentials from being leaked when following redirects during smart-HTTP clone and fetch operations.

Compliance Impact

The vulnerability in go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This leakage of sensitive authentication information could potentially lead to unauthorized access to repositories or other resources.

Such unauthorized disclosure of credentials could have implications for compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and credentials. However, the provided information does not explicitly discuss or analyze the impact of this vulnerability on compliance with these or other regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41506. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart