CVE-2026-42215
Arbitrary Command Execution vulnerability in gitpython (PyPI)

Arbitrary Command Execution No known exploit

What is CVE-2026-42215 About?

This vulnerability in GitPython allows arbitrary command execution by bypassing default safety checks for dangerous Git options. If an application uses attacker-controlled keyword arguments, it can lead to severe system compromise. The exploitation is relatively easy once an attacker can influence the kwargs provided to GitPython functions.

Affected Software

gitpython >=3.1.30, <3.1.47

Technical Details

GitPython's validation mechanisms for dangerous Git options like --upload-pack and --receive-pack are flawed. While it blocks these options when provided as literal command-line flags (e.g., upload-pack), it fails to block them when provided as Python keyword arguments using underscores (e.g., upload_pack). This bypass occurs because GitPython's safety check (Git.check_unsafe_options()) runs before the keyword arguments are normalized from underscore-form (upload_pack) to dash-form (--upload-pack) flags for the underlying Git command. Thus, an attacker can supply an attacker-controlled helper command to parameters like upload_pack or receive_pack in functions such as Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), leading to arbitrary command execution on the system where GitPython is running.

What is the Impact of CVE-2026-42215?

Successful exploitation may allow attackers to execute arbitrary commands on the system, leading to theft of credentials, modification of repositories and build artifacts, lateral movement, and full compromise of services handling repository operations.

What is the Exploitability of CVE-2026-42215?

Exploitation relies on an application passing attacker-controlled keyword arguments (kwargs) to specific GitPython functions (Repo.clone_from(), Remote.fetch(), Remote.pull(), Remote.push()). The complexity is moderate, requiring the attacker to understand how to influence kwargs within the application's context. No authentication is explicitly required by GitPython itself, but the vulnerable application might require it for the Git operation. Privilege requirements are those of the user running the vulnerable GitPython application. This is primarily a remote exploitation scenario if the vulnerable application is exposed over a network. A special condition is that the data passed must be able to be interpreted as a helper command. Risk factors include web applications allowing users to configure Git operations, systems accepting 'extra Git options' via **kwargs, and CI/CD systems or automation tools processing untrusted configurations.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-42215?

Available Upgrade Options

  • gitpython
    • >=3.1.30, <3.1.47 → Upgrade to 3.1.47

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-42215?

Similar Vulnerabilities: CVE-2024-28219 , CVE-2023-45133 , CVE-2022-23491 , CVE-2021-29471 , CVE-2020-8032

All Rights reserved 2025
Privacy Policy