CVE-2026-42284
published 2026-05-07CVE-2026-42284: GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then…
PriorityP353critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
42.9th percentile
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitpython-developers | gitpython | < 3.1.47 | 3.1.47 |
| gitpython_project | gitpython | < 3.1.47 | 3.1.47 |
| gitpython_project | gitpython | >= 0 < 3.1.47 | 3.1.47 |
| ubuntu | python-git | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GitPython vulnerabilities
vendor_ubuntu·2026-05-26·CVSS 6.5
CVE-2026-42215 [MEDIUM] GitPython vulnerabilities
Title: GitPython vulnerabilities
Summary: Several security issues were fixed in GitPython.
Santos Gallegos discovered that GitPython did not properly validate
paths when resolving certain Git references. An attacker could possibly
use this issue to cause files outside the .git directory to be accessed,
leading to a denial of service. This issue only affected Ubuntu 14.04
LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu
22.04 LTS. (CVE-2023-41040)
Wes Ring discovered that GitPython did not properly block certain unsafe
Git options when they were provided as Python keyword arguments. An
attacker could possibly use this issue to cause arbitrary command
execution. (CVE-2026-42215)
It was discovered that GitPython did not properly validate clone options
before processin
VulDB
gitpython-developers GitPython up to 3.1.46 _clone argument injection
vuldb·2026-05-07·CVSS 9.8
CVE-2026-42284 [CRITICAL] gitpython-developers GitPython up to 3.1.46 _clone argument injection
A vulnerability categorized as critical has been discovered in gitpython-developers GitPython up to 3.1.46. This vulnerability affects the function _clone. Executing a manipulation can lead to argument injection.
This vulnerability is handled as CVE-2026-42284. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
GitPython: Unsafe option check validates multi_options before shlex.split transformation
ghsa·2026-04-25
CVE-2026-42284 [HIGH] CWE-88 GitPython: Unsafe option check validates multi_options before shlex.split transformation
GitPython: Unsafe option check validates multi_options before shlex.split transformation
### Summary
`_clone()` validates `multi_options` as the original list, then executes `shlex.split(" ".join(multi_options))`. A string like `"--branch main --config core.hooksPath=/x"` passes validation (starts with `--branch`), but after split becomes `["--branch", "main", "--config", "core.hooksPath=/x"]`. Git applies the config and executes attacker hooks during clone.
### Details
The vulnerable code is in [`git/repo/base.py` line 1383](https://github.com/gitpython-developers/GitPython/blob/5937d14a2c5e532fcb3ece0f45bf75e5bf18539e/git/repo/base.py#L1383):
```python
multi = shlex.split(" ".join(multi_options))
```
Then validation runs on the **original** list at [line 1390](https://github.com/git
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-07
Published