← back
CVE-2026-42284

GitPython: Unsafe option check validates multi_options before shlex.split transforms it

CVSS 8.1 HIGHEPSS 0.6%CWE-88
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
gitpython-developers · GitPython
public PoCs found1
cve_referencewww.tenable.com/cve/CVE-2026-32686unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485https://www.tenable.com/cve/CVE-2026-32686