CVE-2026-42563
Received Received - Intake
Arbitrary Command Execution in Dulwich Git Library

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-42563
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dulwich dulwich to 1.2.5 (exc)
dulwich dulwich 1.2.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability CVE-2026-42563 allows an attacker to achieve arbitrary command execution on a victim's system by exploiting the Dulwich library's ProcessMergeDriver component. This high-impact security flaw could lead to unauthorized access, data manipulation, or system compromise.

Such unauthorized command execution and potential data breaches could negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system operations.

Organizations using vulnerable versions of Dulwich without applying the patch (version 1.2.5 or later) may face increased risk of non-compliance due to potential data exposure or system integrity violations resulting from exploitation of this vulnerability.

Executive Summary

This vulnerability exists in Dulwich, a pure-Python implementation of Git file formats and protocols. Specifically, in versions from 0.24.0 up to but not including 1.2.5, the ProcessMergeDriver component substitutes the file path from the git tree into the merge driver command using the %P placeholder. Since the file path can be controlled by an attacker through a malicious branch, this substitution is executed with subprocess.run(..., shell=True), which allows the attacker to execute arbitrary commands on the victim's system when they merge the malicious branch.

The issue is fixed in version 1.2.5.

Impact Analysis

An attacker who can trick a victim into merging a malicious branch can execute arbitrary commands on the victim's system. This can lead to unauthorized actions such as data theft, system compromise, or further malware installation, depending on the commands executed.

Mitigation Strategies

To mitigate this vulnerability, upgrade Dulwich to version 1.2.5 or later, where the issue has been fixed.

Detection Guidance

This vulnerability occurs when the Dulwich library's ProcessMergeDriver uses the %P placeholder in merge driver commands, which can be exploited by malicious file paths during a git merge operation.

To detect if your system is vulnerable, first check the version of Dulwich installed. Versions >=0.24.0 and <1.2.5 are affected.

  • Check Dulwich version using Python package management commands, for example: pip show dulwich
  • Look for merge drivers configured to use the %P placeholder in your git configuration files (.git/config or system-wide git config). For example, run: git config --list | grep merge
  • Audit recent git merges for branches that may contain suspicious or unusual file paths that could be crafted to exploit this vulnerability.

There are no specific network detection commands provided in the resources, but monitoring git merge operations and ensuring no untrusted branches are merged without review is critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42563. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart