CVE-2026-42215: GitPython Arbitrary Command Execution Vulnerability

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-78
CVE-2026-42215: GitPython Arbitrary Command Execution Vulnerability

The National Vulnerability Database (NVD) has detailed CVE-2026-42215, a critical arbitrary command execution vulnerability in GitPython versions 3.1.30 to before 3.1.47. This Python library, widely used for interacting with Git repositories, failed to properly sanitize input when specific Python keyword arguments (kwargs) were used. While GitPython generally blocks dangerous Git options like --upload-pack and --receive-pack by default, equivalent upload_pack and receive_pack kwargs could bypass these critical security checks.

This bypass allows an attacker to achieve arbitrary command execution if an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(). Crucially, this exploit is possible even when allow_unsafe_options is set to its default False value, meaning developers might have a false sense of security. The NVD assigns this vulnerability a CVSS score of 8.8 (HIGH), categorizing it under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

For defenders, this is a clear call to action. Any application leveraging GitPython within the affected version range is at risk. Given the prevalence of Git in development and CI/CD pipelines, the blast radius for this vulnerability could be significant. The issue has been patched in version 3.1.47, making immediate upgrades non-negotiable.

What This Means For You

  • If your organization uses GitPython, you must immediately audit your applications for versions between 3.1.30 and 3.1.47. Prioritize upgrading to version 3.1.47 or later. Even if you believe `allow_unsafe_options` is securing your setup, this vulnerability bypasses that control. Review all instances where `Repo.clone_from()`, `Remote.fetch()`, `Remote.pull()`, or `Remote.push()` are used with external input.

Related ATT&CK Techniques

T1204.002 Malicious File Execution T1059.006 Python Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.006 Execution

CVE-2026-42215: GitPython Arbitrary Command Execution via upload_pack/receive_pack kwargs

Sigma YAML — free preview 
title: CVE-2026-42215: GitPython Arbitrary Command Execution via upload_pack/receive_pack kwargs
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  Detects the exploitation of CVE-2026-42215. This rule looks for Python processes executing Git commands that utilize the vulnerable `upload_pack` or `receive_pack` keyword arguments, which bypass security checks in GitPython versions prior to 3.1.47, leading to arbitrary command execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42215/
tags:
  - attack.execution
  - attack.t1059.006
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'python.exe'
      CommandLine|contains:
          - 'git.cmd'
          - 'git.sh'
      CommandLine|contains:
          - '--upload-pack'
          - '--receive-pack'
  selection_kwargs:
      CommandLine|contains:
          - 'upload_pack='
          - 'receive_pack='
  condition: selection AND selection_kwargs
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42215 RCE GitPython library versions 3.1.30 to 3.1.46
CVE-2026-42215 RCE GitPython Repo.clone_from() with attacker-controlled kwargs
CVE-2026-42215 RCE GitPython Remote.fetch() with attacker-controlled kwargs
CVE-2026-42215 RCE GitPython Remote.pull() with attacker-controlled kwargs
CVE-2026-42215 RCE GitPython Remote.push() with attacker-controlled kwargs

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0

CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8097 — CodeAstro Online Classroom SQL Injection

CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 5 IOCs /⚙ 4 Sigma