CVE-2026-45022
Analyzed Analyzed - Analysis Complete
Malformed Git Object Parsing in go-git

Publication date: 2026-05-27

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-04
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45022
EUVD
EUVD-2026-32542
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
go-git_project go-git 6.0.0
go-git_project go-git 6.0.0
go-git_project go-git to 5.19.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-180 The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability affects the integrity of commit signatures in go-git, potentially causing signatures to validate for commits whose metadata differs from the stored object. Such integrity issues could undermine trust in the authenticity and accuracy of version control data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the integrity issues caused by this vulnerability could impact compliance indirectly. For example, inaccurate or tampered commit data might affect audit trails, data provenance, or verification processes required by these regulations.

To mitigate these risks and maintain compliance, users are advised to upgrade to the fixed versions of go-git (5.19.0 or later, or 6.0.0-alpha.3).

Mitigation Strategies

To mitigate this vulnerability, users should upgrade go-git to version 5.19.0 or later, or to 6.0.0-alpha.3 or later.

Executive Summary

The vulnerability in go-git involves the way it parses malformed Git objects, such as commit or tag objects with ambiguous or malformed headers. Unlike the upstream Git implementation, go-git may interpret these objects differently, leading to discrepancies in the decoded representation.

Additionally, go-git's commit signing and verification process works on reconstructed commit data derived from its parsed representation rather than the original raw object bytes. This can cause a commit signature to appear valid even when the commit's displayed or effective metadata differs from the actual object stored in the repository.

This means that a signature might validate a commit that has been altered or interpreted differently than intended, potentially misleading users about the authenticity or integrity of the commit.

Impact Analysis

This vulnerability can impact users by allowing signatures to validate commits whose metadata or content differs from what was originally intended or stored. This discrepancy can undermine trust in the authenticity and integrity of commits.

As a result, users or systems relying on commit signatures for verification may be misled into accepting altered or malformed commits as legitimate, potentially leading to security risks such as unauthorized code changes or supply chain attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45022. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart