CVE-2026-44243
Analyzed Analyzed - Analysis Complete
GitPython Path Traversal Vulnerability

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-19
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44243
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gitpython_project gitpython to 3.1.48 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44243 is a path traversal vulnerability in the GitPython library, which is used to interact with Git repositories. The vulnerability arises because GitPython versions prior to 3.1.48 do not sufficiently validate reference paths during creation, rename, and delete operations. This allows an attacker who can supply a crafted reference path to write, overwrite, move, or delete files outside the repository's .git directory.

The issue occurs because while paths are checked when read, they are not properly validated before filesystem write operations, enabling unauthorized file system modifications outside the intended repository boundaries.

Impact Analysis

This vulnerability can allow attackers to modify or delete files outside the Git repository's .git directory by supplying crafted reference paths. Such unauthorized file system access can lead to corruption of application state or cause denial of service conditions.

Applications that expose GitPython reference operations to user-controlled input, such as CI/CD helpers, repository management backends, and developer platforms, are particularly at risk.

Detection Guidance

This vulnerability involves insufficient validation of reference paths in GitPython, allowing crafted reference paths to write, overwrite, move, or delete files outside the repository’s .git directory.

Detection involves identifying if your system or applications use GitPython versions prior to 3.1.48 and whether they accept user-controlled input for Git reference operations.

Since the vulnerability is exploited by supplying crafted reference paths, monitoring or logging unusual filesystem operations related to Git references or unexpected file modifications outside the .git directory may help detect exploitation attempts.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade GitPython to version 3.1.48 or later, where this vulnerability has been patched.

Additionally, ensure that applications using GitPython do not expose reference operations to untrusted or user-controlled input without proper validation.

Validate reference paths before performing filesystem write, rename, or delete operations to ensure they remain within the repository boundaries.

Compliance Impact

The vulnerability in GitPython allows attackers to write, overwrite, move, or delete files outside the repository’s .git directory by exploiting insufficient validation of reference paths. This unauthorized file manipulation can lead to corruption of application state or denial of service.

Such unauthorized access and potential data corruption could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity, confidentiality, and availability. If sensitive data or system files are affected, organizations using vulnerable versions of GitPython might face risks related to data breaches or service disruptions, potentially violating these regulations.

Therefore, it is important for organizations to apply the patch (version 3.1.48 or later) to mitigate these risks and maintain compliance with relevant security and data protection standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44243. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart