CVE-2026-42284
Command Injection in GitPython Library
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gitpython_project | gitpython | to 3.1.47 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows arbitrary code execution during Git clone operations by executing attacker-controlled hooks. Such unauthorized code execution can lead to data breaches, unauthorized access, and potential manipulation of sensitive information.
Consequently, organizations using vulnerable versions of GitPython may face increased risk of non-compliance with standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and require controls to prevent unauthorized access and data breaches.
Mitigating this vulnerability by upgrading to GitPython version 3.1.47 or later is essential to maintain compliance and reduce the risk of security incidents that could lead to regulatory penalties.
Can you explain this vulnerability to me?
CVE-2026-42284 is a vulnerability in GitPython, a Python library used to interact with Git repositories. The issue occurs in versions prior to 3.1.47 when the multi_options parameter is validated before being transformed by shlex.split(). This allows an attacker to craft a string that appears safe initially but, after splitting, includes malicious options such as --config core.hooksPath=<directory>. As a result, Git applies the attacker's configuration and executes attacker-controlled hooks during a clone operation.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution during Git clone operations. An attacker can inject malicious Git hooks that run automatically, potentially compromising the system where the clone is performed. This can result in unauthorized access, data manipulation, or further exploitation of the affected environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unsafe handling of options passed to GitPython's clone functions, which may not be directly detectable through simple network commands.
To detect if your system is vulnerable, first check the installed GitPython version. Versions 3.1.44 and earlier are affected, while version 3.1.47 and later include the fix.
- Run the command: python -c "import git; print(git.__version__)" to determine the installed GitPython version.
Additionally, monitor for suspicious Git clone operations that include unusual --config core.hooksPath options, which could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade GitPython to version 3.1.47 or later, where this vulnerability has been patched.
Avoid passing untrusted input to the multi_options parameter in functions like clone_from(), clone(), or Submodule.update() to prevent injection of malicious options.
Review and restrict Git operations that involve cloning repositories, especially those that might use user-supplied options.