CVE-2026-52726
Deferred Deferred - Pending Action

Path Traversal in Dulwich Git Implementation

Vulnerability report for CVE-2026-52726, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
dulwich dulwich to 1.2.5 (exc)
dulwich dulwich 1.2.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Dulwich, a pure-Python implementation of Git file formats and protocols, specifically in versions starting from 0.23.2 up to but not including 1.2.5. The issue occurs in the submodule update functionality, where attacker-controlled submodule paths from a crafted upstream repository are materialized without proper path validation.

An attacker can craft a malicious .gitmodules file along with a matching gitlink whose path points to a directory inside the parent repository's .git directory, such as .git/hooks. This causes the attacker's submodule contents to be written directly into the victim's .git/hooks/ directory, preserving executable permissions.

Because Git and Dulwich run executables in the .git/hooks/ directory as hooks during various commands, this allows the attacker to execute arbitrary code when those hooks are triggered.

The vulnerability is similar to upstream Git vulnerabilities CVE-2024-32002 and CVE-2024-32004, but those fixes were not propagated into Dulwich's submodule porcelain implementation. The issue was fixed in Dulwich version 1.2.5.

Impact Analysis

This vulnerability can lead to arbitrary code execution on your system when you use Dulwich to clone repositories with submodules or update submodules if the repository contains a maliciously crafted .gitmodules file.

An attacker can exploit this to run malicious code with the privileges of the user running the Dulwich commands, potentially compromising your system, stealing data, or causing other harmful effects.

Since the attack involves writing executable files into the .git/hooks directory, any subsequent Git or Dulwich commands that trigger these hooks will execute the attacker's code.

Mitigation Strategies

To mitigate this vulnerability, upgrade Dulwich to version 1.2.5 or later, where the issue has been patched.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by checking if your system is using dulwich versions between 0.23.2 and before 1.2.5, especially if you use commands or APIs that perform submodule updates or cloning with recursion enabled.

To detect exploitation or presence of malicious submodules, you can inspect the .git/hooks directory for unexpected or suspicious executable files that may have been placed there by a crafted .gitmodules file.

Suggested commands to help detect this vulnerability or its exploitation include:

  • Check dulwich version installed (if applicable): `pip show dulwich` or `pip freeze | grep dulwich`
  • Look for suspicious executable files in the .git/hooks directory of your repositories: `ls -l .git/hooks/`
  • Search for .gitmodules files containing paths that point inside the .git directory, such as `.git/hooks`: `grep -r '\.git/hooks' .gitmodules`
  • Audit recent git submodule update or clone commands with recursion enabled in your logs or scripts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52726. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart