Executive Summary

CVE-2026-42215 is a command injection vulnerability in the GitPython library, which is used to interact with Git repositories in Python.

The vulnerability arises because GitPython blocks dangerous Git command-line options like --upload-pack and --receive-pack by default, but the equivalent Python keyword arguments (kwargs) upload_pack and receive_pack bypass these checks.

This happens because the validation occurs before the kwargs are converted into Git command-line flags, allowing attacker-controlled kwargs passed into functions like Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() to lead to arbitrary command execution.

This issue affects versions from 3.1.30 up to but not including 3.1.47, where it has been patched.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability can lead to arbitrary command execution on the host running GitPython.

This can result in theft of credentials, unauthorized modifications to Git repositories, or even full compromise of the host process.

Applications affected include web applications, CI/CD systems, and automation tools that pass untrusted input into GitPython functions.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying usage of vulnerable GitPython versions (3.1.30 to before 3.1.47) in your environment, especially in applications or automation tools that use Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() with potentially attacker-controlled kwargs.

Since the vulnerability involves bypassing Git option checks via Python kwargs, monitoring for unusual or unexpected usage of these functions with upload_pack or receive_pack keyword arguments can help detect exploitation attempts.

You can check installed GitPython version with the following Python command:

• python -c "import git; print(git.__version__)"

To detect suspicious usage or attempts to exploit, you may audit logs or add instrumentation to monitor calls to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() that include upload_pack or receive_pack kwargs.

Network detection might be difficult as the attack is local to the Python library usage, but monitoring for unexpected Git commands or subprocess executions spawned by applications using GitPython could help.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows arbitrary command execution through GitPython when attacker-controlled input is passed to certain functions, potentially leading to theft of credentials, unauthorized repository modifications, or full compromise of the host process.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure handling of credentials.

Exploitation of this vulnerability could result in exposure or alteration of protected data, thereby violating confidentiality, integrity, and availability requirements mandated by these regulations.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade GitPython to version 3.1.47 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, ensure that applications do not pass untrusted or attacker-controlled kwargs such as upload_pack or receive_pack into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() functions.

Review and harden any automation, CI/CD pipelines, or web applications that use GitPython to prevent injection of unsafe options via kwargs.

Consider adding input validation or sanitization on any user-controlled inputs that might be passed to GitPython functions.

Useful 0 Not Useful 0