CVE-2026-52726
Deferred Deferred - Pending Action
Path Traversal in Dulwich Git Implementation

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-52726
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dulwich dulwich to 1.2.5 (exc)
dulwich dulwich 1.2.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dulwich, a pure-Python implementation of Git file formats and protocols, specifically in versions starting from 0.23.2 up to but not including 1.2.5. The issue occurs in the submodule update functionality, where attacker-controlled submodule paths from a crafted upstream repository are materialized without proper path validation.

An attacker can craft a malicious .gitmodules file along with a matching gitlink whose path points to a directory inside the parent repository's .git directory, such as .git/hooks. This causes the attacker's submodule contents to be written directly into the victim's .git/hooks/ directory, preserving executable permissions.

Because Git and Dulwich run executables in the .git/hooks/ directory as hooks during various commands, this allows the attacker to execute arbitrary code when those hooks are triggered.

The vulnerability is similar to upstream Git vulnerabilities CVE-2024-32002 and CVE-2024-32004, but those fixes were not propagated into Dulwich's submodule porcelain implementation. The issue was fixed in Dulwich version 1.2.5.

Impact Analysis

This vulnerability can lead to arbitrary code execution on your system when you use Dulwich to clone repositories with submodules or update submodules if the repository contains a maliciously crafted .gitmodules file.

An attacker can exploit this to run malicious code with the privileges of the user running the Dulwich commands, potentially compromising your system, stealing data, or causing other harmful effects.

Since the attack involves writing executable files into the .git/hooks directory, any subsequent Git or Dulwich commands that trigger these hooks will execute the attacker's code.

Mitigation Strategies

To mitigate this vulnerability, upgrade Dulwich to version 1.2.5 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52726. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart