CVE-2026-44244
Analyzed Analyzed - Analysis Complete

GitConfigParser.set_value() Newline Injection in GitPython

Vulnerability report for CVE-2026-44244, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-07

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header β€” so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-07
Last Modified
2026-05-11
Generated
2026-07-09
AI Q&A
2026-05-07
EPSS Evaluated
2026-07-08
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gitpython_project gitpython to 3.1.49 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44244 is a vulnerability in GitPython versions 3.1.48 and earlier that allows remote code execution through newline injection in the config_writer().set_value() function.

The function does not validate input for newline characters, allowing attackers to inject malicious configuration values into the .git/config file.

Specifically, an attacker can inject a core.hooksPath setting that redirects Git hooks to an arbitrary directory, enabling execution of arbitrary scripts during Git operations like commits or merges.

GitPython's internal handling converts embedded newlines into indented continuation lines, but Git still interprets these as valid configuration, allowing the injected core.hooksPath to take effect.

This results in persistent repository configuration poisoning, where an attacker can force all subsequent Git operations to execute malicious hooks.

Compliance Impact

The vulnerability allows remote code execution through configuration poisoning, which can lead to unauthorized execution of arbitrary scripts during Git operations. This can compromise the confidentiality, integrity, and availability of data managed by affected applications.

Such unauthorized code execution and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access or modification.

Organizations using GitPython or dependent applications should audit their use of the vulnerable function and apply the patch to mitigate risks that could lead to non-compliance.

Impact Analysis

This vulnerability can lead to remote code execution by allowing attackers to inject malicious Git hook paths into repository configuration.

Any Git operation that invokes hooks (such as commit, merge, or checkout) will then execute scripts from the attacker-controlled path.

In multi-user environments, one user can poison a shared repository's configuration, causing hooks to run malicious code for every user's Git operations.

Even in single-user setups, the risk depends on whether the application automatically invokes Git hooks, potentially leading to execution of arbitrary scripts.

The CVSS score of 7.8 indicates a high impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves injection of newline characters into GitPython configuration values, leading to malicious core.hooksPath settings in the .git/config file. Detection involves inspecting the .git/config file for unexpected or suspicious core.hooksPath entries that redirect Git hooks to attacker-controlled directories.

You can manually check the .git/config file in your repositories for any unusual core.hooksPath settings by running commands like:

  • grep -A 5 '\[core\]' .git/config
  • git config --list | grep core.hooksPath

Additionally, reviewing any recent changes to configuration files or monitoring for unexpected execution of Git hooks during operations like commit, merge, or checkout can help identify exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade GitPython to version 3.1.49 or later, where the vulnerability has been patched by rejecting control characters in configuration values.

Until the upgrade can be applied, avoid passing user-controlled input containing newline or control characters to GitPython's set_value() function.

Audit any applications using GitPython (such as DVC, MLflow, Kedro) to ensure they do not pass unsanitized input to configuration setters.

Also, review and clean any existing .git/config files for malicious core.hooksPath entries to prevent execution of attacker-controlled hooks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart