CVE-2026-45022
published 2026-05-27CVE-2026-45022: go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.16%
5.5th percentile
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | go-git_go-git_v5 | >= 0 < 5.19.0 | 5.19.0 |
| github.com | go-git_go-git_v6 | >= 6.0.0-alpha.1 < 6.0.0-alpha.3 | 6.0.0-alpha.3 |
| go-git | go-git | < 5.19.0 | 5.19.0 |
| go-git | go-git | — | — |
| go-git_project | go-git | < 5.19.0 | 5.19.0 |
| go-git_project | go-git | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.07.0HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
go-git up to 5.18.x/6.0.0-alpha.2 validate before canonicalize (GHSA-389r-gv7p-r3rp)
vuldb·2026-06-07·CVSS 7.5
CVE-2026-45022 [HIGH] go-git up to 5.18.x/6.0.0-alpha.2 validate before canonicalize (GHSA-389r-gv7p-r3rp)
A vulnerability marked as problematic has been reported in go-git up to 5.18.x/6.0.0-alpha.2. This affects an unknown function. Performing a manipulation results in incorrect behavior order: validate before canonicalize.
This vulnerability was named CVE-2026-45022. The attack may be initiated remotely. There is no available exploit.
It is suggested to upgrade the affected component.
GHSA
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
ghsa·2026-05-11
CVE-2026-45022 [HIGH] CWE-180 go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git
### Impact
`go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`’s decoded representation may expose values differently from how Git itself would interpret or reject the same object.
Additionally, `go-git`’s commit signing and verification logic operates over commit data reconstructed from `go-git`’s parsed representation rather than the original raw object bytes. As a result, `go-git` may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository.
This can cause a signature to appear valid for a commit whose displ
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published