External risk intelligence

Attacker can run code on your systems through the GitPython library.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-42284

A critical flaw in GitPython lets attackers run code on your systems when cloning repositories, potentially exposing sensitive data and systems. Update GitPython now to version 3.1.47 or later to stay protected.

2Halo Surface Signal

Gitpython Project Gitpython

before 3.1.47

External exposure likelihood

Halo Surface Signal score for CVE-2026-42284

The vulnerability affects a Python library typically utilized in backend applications, CI/CD pipelines, or build tools. While it may be reachable in web applications that process user-supplied repository URLs, the library is not a public-facing service by design and often operates within internal or restricted network environments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in GitPython allows malicious commands to be executed during a repository clone operation. This could lead to unauthorized actions on your systems if not properly addressed.

  • Code execution during clone.
  • Affects systems cloning repositories.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by crafting a malicious Git repository URL. When a vulnerable version of GitPython clones this repository, it will improperly process configuration options, leading to the execution of attacker-controlled code on the victim's system. This means anyone using the affected GitPython library to clone untrusted repositories is at risk.

  • Unauthenticated network access.
  • Git repository clone action.
  • User must clone malicious repo.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in GitPython allows for the execution of arbitrary hooks during a repository clone. Attackers would favor this type of vulnerability if it could be easily triggered without user interaction, especially if it can lead to remote code execution on a target system.

  • Not in KEV.
  • Exploit code is available.
  • Patch released in May 2026.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize updating GitPython to version 3.1.47 or later to address a critical vulnerability that allows for arbitrary code execution during repository cloning. If immediate patching is not feasible, implement strict input validation on any user-supplied repository URLs processed by the application.

  • Upgrade GitPython to 3.1.47.
  • Block untrusted Git repository clones.
  • Monitor for suspicious Git commands.

Frequently asked questions

What is GitPython and what is it used for?

GitPython is a Python library that allows developers to interact with Git repositories directly from their Python code. It's commonly used for automating Git tasks, managing repositories in applications, and integrating Git functionality into software development workflows.

How does CVE-2026-42284 enable an attacker to run code?

CVE-2026-42284 is a CWE-88, "Argument Injection" vulnerability. In affected versions of GitPython, a specially crafted repository URL containing malicious configuration options can trick the library into executing attacker-controlled commands or hooks when a repository is cloned. This happens because the library validates options incorrectly before splitting them into commands.

What are the conditions for this GitPython vulnerability to be triggered?

This vulnerability is triggered when a user or system running a vulnerable version of GitPython (prior to 3.1.47) clones a Git repository. The attacker must provide a malicious repository URL. Cloning a legitimate, untrusted repository will not trigger the bug.

Who should be concerned about CVE-2026-42284 based on its exposure?

This vulnerability is classified as external, meaning it can be reached over the internet. Anyone using GitPython in applications that might clone repositories from untrusted or potentially malicious sources should be concerned. The Halo Surface Signal indicates this is unlikely to be a widespread issue as GitPython is often used in backend systems rather than directly exposed services.

What is the first step to address the GitPython vulnerability?

The primary step is to update the GitPython library to version 3.1.47 or a later version. This patched version corrects the validation issue that allows for malicious code execution during the cloning process.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified