CVE-2026-42284
Modified Modified - Updated After Analysis
Command Injection in GitPython Library

Publication date: 2026-05-07

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42284
EUVD
EUVD-2026-28412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitpython_project gitpython to 3.1.47 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42284 is a vulnerability in GitPython, a Python library used to interact with Git repositories. The issue occurs in versions prior to 3.1.47 when the multi_options parameter is validated before being transformed by shlex.split(). This allows an attacker to craft a string that appears safe initially but, after splitting, includes malicious options such as --config core.hooksPath=<directory>. As a result, Git applies the attacker's configuration and executes attacker-controlled hooks during a clone operation.

Impact Analysis

This vulnerability can lead to arbitrary code execution during Git clone operations. An attacker can inject malicious Git hooks that run automatically, potentially compromising the system where the clone is performed. This can result in unauthorized access, data manipulation, or further exploitation of the affected environment.

Detection Guidance

This vulnerability involves unsafe handling of options passed to GitPython's clone functions, which may not be directly detectable through simple network commands.

To detect if your system is vulnerable, first check the installed GitPython version. Versions 3.1.44 and earlier are affected, while version 3.1.47 and later include the fix.

  • Run the command: python -c "import git; print(git.__version__)" to determine the installed GitPython version.

Additionally, monitor for suspicious Git clone operations that include unusual --config core.hooksPath options, which could indicate exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade GitPython to version 3.1.47 or later, where this vulnerability has been patched.

Avoid passing untrusted input to the multi_options parameter in functions like clone_from(), clone(), or Submodule.update() to prevent injection of malicious options.

Review and restrict Git operations that involve cloning repositories, especially those that might use user-supplied options.

Compliance Impact

This vulnerability allows arbitrary code execution during Git clone operations by executing attacker-controlled hooks. Such unauthorized code execution can lead to data breaches, unauthorized access, and potential manipulation of sensitive information.

Consequently, organizations using vulnerable versions of GitPython may face increased risk of non-compliance with standards and regulations like GDPR and HIPAA, which mandate protection of sensitive data and require controls to prevent unauthorized access and data breaches.

Mitigating this vulnerability by upgrading to GitPython version 3.1.47 or later is essential to maintain compliance and reduce the risk of security incidents that could lead to regulatory penalties.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42284. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart