CVE-2026-42215
published 2026-05-07CVE-2026-42215: GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.72%
49.2th percentile
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitpython-developers | gitpython | — | — |
| gitpython_project | gitpython | >= 0 < 3.1.50 | 3.1.50 |
| gitpython_project | gitpython | >= 3.1.30 < 3.1.47 | 3.1.47 |
| gitpython_project | gitpython | >= 3.1.30 < 3.1.47 | 3.1.47 |
| ubuntu | python-git | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for use of Python kwargs `upload_pack` or `receive_pack` passed into GitPython methods (Repo.clone_from(), Remote.fetch(), Remote.pull(), Remote.push()) as these bypass the allow_unsafe_options=False default check ↗
- →Flag GitPython versions 3.1.30 through 3.1.46 (inclusive) as vulnerable; enforce upgrade to 3.1.47 or later ↗
- ·The dangerous Git options `--upload-pack` and `--receive-pack` are blocked by default, but their Python kwarg equivalents (`upload_pack`, `receive_pack`) are NOT blocked — the bypass works regardless of the `allow_unsafe_options` setting ↗
- ·The vulnerability is only exploitable when an application passes attacker-controlled kwargs into the affected GitPython methods; applications that do not expose kwargs to user input are not directly at risk ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath
ghsa·2026-05-08·CVSS 8.8
CVE-2026-42215 [HIGH] CWE-20 GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath
GitPython: Newline injection in config_writer() section parameter bypasses CVE-2026-42215 patch, enabling RCE via core.hooksPath
Summary
The patch for CVE-2026-42215 (GitPython 3.1.49) validates newlines only in the value parameter of set_value(). The section and option parameters are passed to configparser without any newline validation. An attacker who controls the section argument can inject \n to write arbitrary section headers into .git/config, including a forged [core] section with hooksPath pointing to an attacker-controlled directory, leading to RCE when any git hook is triggered.
Details
File: git/config.py — GitPython 3.1.49 (latest patched version)
```python
def set_value(self, section: str, option: str, value) -> "GitConfigParser":
value_str = self._value_to_string_safe(va
VulDB
gitpython-developers GitPython up to 3.1.46 os command injection
vuldb·2026-05-07·CVSS 8.8
CVE-2026-42215 [HIGH] gitpython-developers GitPython up to 3.1.46 os command injection
A vulnerability, which was classified as critical, was found in gitpython-developers GitPython up to 3.1.46. This affects the function Repo.clone_from/Remote.fetch/Remote.pull/Remote.push. Executing a manipulation can lead to os command injection.
This vulnerability is registered as CVE-2026-42215. It is possible to launch the attack remotely. No exploit is available.
You should upgrade the affected component.
GHSA
GitPython has Command Injection via Git options bypass
ghsa·2026-04-25
CVE-2026-42215 [HIGH] CWE-78 GitPython has Command Injection via Git options bypass
GitPython has Command Injection via Git options bypass
### Summary
GitPython blocks dangerous Git options such as `--upload-pack` and `--receive-pack` by default, but the equivalent Python kwargs `upload_pack` and `receive_pack` bypass that check. If an application passes attacker-controlled kwargs into `Repo.clone_from()`, `Remote.fetch()`, `Remote.pull()`, or `Remote.push()`, this leads to arbitrary command execution even when `allow_unsafe_options` is left at its default value of `False`.
### Details
GitPython explicitly treats helper-command options as unsafe because they can be used to execute arbitrary commands:
- `git/repo/base.py:145-153` marks clone options such as `--upload-pack`, `-u`, `--config`, and `-c` as unsafe.
- `git/remote.py:535-548` marks fetch/pull/push options suc
Ubuntu
GitPython vulnerabilities
vendor_ubuntu·2026-05-26·CVSS 6.5
CVE-2026-42215 [MEDIUM] GitPython vulnerabilities
Title: GitPython vulnerabilities
Summary: Several security issues were fixed in GitPython.
Santos Gallegos discovered that GitPython did not properly validate
paths when resolving certain Git references. An attacker could possibly
use this issue to cause files outside the .git directory to be accessed,
leading to a denial of service. This issue only affected Ubuntu 14.04
LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu
22.04 LTS. (CVE-2023-41040)
Wes Ring discovered that GitPython did not properly block certain unsafe
Git options when they were provided as Python keyword arguments. An
attacker could possibly use this issue to cause arbitrary command
execution. (CVE-2026-42215)
It was discovered that GitPython did not properly validate clone options
before processin
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-07
Published