GitPython Flaws Let Attackers Bypass Option Checks and Execute Commands
Two high-severity vulnerabilities in GitPython allowed attackers to bypass built-in safety checks and reach arbitrary command execution through Git operations. CVE-2026-42215 affects versions 3.1.30 through 3.1.46 and stems from GitPython validating blocked Git options before normalizing Python keyword arguments: values such as upload_pack could pass validation, then be converted into forbidden flags like --upload-pack when passed to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(). The flaw could let attacker-controlled input trigger command execution with the privileges of the Python process even when allow_unsafe_options=False.
A second flaw, CVE-2026-42284, affects GitPython before version 3.1.47 and involves unsafe handling of the multi_options parameter in _clone(). The library checked multi_options before later reprocessing it with shlex.split(" ".join(multi_options)), enabling crafted input to smuggle additional Git command-line arguments past validation. A string that appeared to be a valid branch selection could be split into separate options, including malicious configuration such as core.hooksPath, causing Git to execute attacker-controlled hooks during clone. Both issues were fixed in GitPython 3.1.47.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
GitPython fixes two clone/option injection vulnerabilities in version 3.1.47
GitPython version 3.1.47 fixed the command injection issue involving unsafe Git option bypass as well as a separate flaw in _clone() where multi_options were validated before being reprocessed with shlex.split. The latter bug allowed attackers to smuggle additional Git options that could apply malicious configuration and trigger attacker-controlled hooks during clone.
GitPython command injection flaw is publicly disclosed
A command execution vulnerability in GitPython was publicly disclosed, affecting versions 3.1.30 through 3.1.46. The flaw allowed dangerous Git options to bypass blocklist checks when supplied as Python keyword arguments that were later normalized into Git command-line flags.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CVE-2026-42284 - GitPython: Unsafe option check validates multi_options before shlex.split transforms it
cvefeed.io
Open sourceCVE-2026-42215 - GitPython: Command injection via Git options bypass
cvefeed.io
Open sourceGHSA-RPM5-65CW-6HJ4: GHSA-RPM5-65CW-6HJ4: Command Injection via Git Options Bypass in GitPython | CVEReports
cvereports.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Git Carriage Return Flaw Enables Code Execution During Submodule Initialization
A high-severity vulnerability tracked as **CVE-2025-48384** affects Git’s handling of configuration values containing trailing carriage returns, creating a path for unintended script execution during submodule initialization. According to Armis, the flaw can be abused when an attacker can influence the relevant configuration context, potentially turning routine clone or submodule operations into code execution. Microsoft’s Security Update Guide also lists the issue, identifying it as a Git/GitHub vulnerability. Public exploit activity quickly followed disclosure, with multiple GitHub repositories publishing proof-of-concept material for **CVE-2025-48384**, including variants described as working over HTTPS and others explicitly labeling the issue as carriage-return-driven remote code execution on cloning. The appearance of several PoC repositories indicates that exploit details are broadly accessible, increasing the likelihood of weaponization against developers and build environments that process untrusted repositories or submodules.
May 25, 2026
Dulwich Windows Git Path Flaw Enables Arbitrary File Write and RCE
A high-severity flaw in **Dulwich** tracked as `CVE-2026-42305` allows arbitrary file write and potential remote code execution on Windows when a user clones, fetches, or checks out a malicious Git repository. The bug affects versions `0.10.0` through `1.2.4` and stems from improper validation of tree entry names that Windows interprets as path syntax, including backslashes, NTFS alternate data stream markers, and NTFS `8.3` short-name aliases tied to `.git`. A crafted repository can write files outside the work tree or place executable content such as `.git\hooks\pre-commit.exe` inside the victim’s Git metadata, which Git for Windows may later execute in the user’s context. The project released **Dulwich 1.2.5** to fix the issue, correcting mishandled `core.protectNTFS` and `core.protectHFS` configuration names, enabling `core.protectNTFS` by default on all platforms, and tightening checks to block dangerous names including reserved Windows devices like `CON`, `NUL`, `COM1`, and `LPT1`. Release notes say the update also addresses other security bugs, including unsafe submodule path handling, shell command injection in `ProcessMergeDriver`, unsafe patch filename generation, and improper `receive.maxInputSize` enforcement. Maintainers said there is no effective workaround short of upgrading, and warned that even POSIX users can unknowingly propagate malicious trees to Windows users through pushes or republished repositories.
Jun 11, 2026
Multiple OpenClaw Flaws Enable Code Execution and Consent Bypass
OpenClaw disclosed several high-severity vulnerabilities that can lead to arbitrary code execution and security control bypass across recent releases. **CVE-2026-35641** affects versions before `2026.3.24` and lets a malicious local plugin or hook package use a crafted `.npmrc` file to override the `git` executable during `npm install`, resulting in arbitrary program execution. **CVE-2026-41349** affects versions before `2026.3.28` and allows low-privileged remote attackers to bypass execution approval through `config.patch`, silently disabling agentic consent protections. Belgium's Centre for Cybersecurity warned that multiple OpenClaw flaws can lead to RCE and urged immediate patching. Additional OpenClaw issues published shortly after expand the attack surface. **CVE-2026-41336** affects versions before `2026.3.31` and allows workspace `.env` files to override `OPENCLAW_BUNDLED_HOOKS_DIR`, causing trusted bundled hooks to be replaced with attacker-controlled code from untrusted workspaces. **CVE-2026-41352**, also fixed in `2026.3.31`, allows a device-paired node to bypass the node scope gate and execute arbitrary node commands on the host without proper pairing validation. Separately, the Node.js package **simple-git** disclosed **CVE-2026-6951**, an RCE flaw in versions before `3.36.0` caused by incomplete blocking of Git configuration options, allowing attackers to abuse `--config`, enable `protocol.ext.allow=always`, and trigger execution through an `ext::` clone source when untrusted input reaches the library's options.
Apr 25, 2026