CVE-2026-42284: GitPython Vulnerability Allows Remote Code Execution Via Malicious Clones

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-88
CVE-2026-42284: GitPython Vulnerability Allows Remote Code Execution Via Malicious Clones

The National Vulnerability Database has identified a critical vulnerability, CVE-2026-42284, in GitPython, a popular Python library for Git interaction. Versions prior to 3.1.47 are susceptible to an attack where a specially crafted clone URL can trick the library into executing arbitrary code. Attackers can exploit this by providing malicious options within a clone command, which, after being parsed, instructs Git to use a compromised hooks path. This allows for code execution during the cloning process, bypassing standard security checks.

The CVSS score of 8.1 (HIGH) underscores the severity of this flaw. The vulnerability, categorized under CWE-88 (Argument Injection), affects any system using a vulnerable version of GitPython to clone repositories. The National Vulnerability Database notes that the affected products were not explicitly specified, but the widespread use of GitPython in development workflows means a broad range of applications and automated systems could be at risk if they perform remote Git operations without proper input sanitization or updated libraries.

Defenders must prioritize updating GitPython to version 3.1.47 or later. For organizations unable to update immediately, implementing stricter input validation on any parameters used in Git clone operations is crucial. Auditing systems for unexpected Git hook executions or unusual configurations related to core.hooksPath should also be considered to detect potential exploitation.

What This Means For You

  • If your development pipelines or any automated processes use GitPython for cloning repositories, you must update GitPython to version 3.1.47 immediately. Failing to do so exposes your systems to remote code execution when cloning from a potentially malicious source.

Related ATT&CK Techniques

T1505.003 Server Software Component: Git Initial Access T1204.002 User Execution: Malicious File Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1204.002 Execution

CVE-2026-42284: GitPython RCE via Malicious Clone Command Injection

Sigma YAML — free preview 
title: CVE-2026-42284: GitPython RCE via Malicious Clone Command Injection
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  Detects the specific command injection pattern used in CVE-2026-42284 where a malicious Git clone command attempts to abuse the --config option to execute arbitrary hooks. This rule looks for 'git' commands that include both '--config core.hooksPath=' and '--branch', indicating a potential exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42284/
tags:
  - attack.execution
  - attack.t1204.002
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - 'git'
      CommandLine|contains:
          - '--config core.hooksPath='
      CommandLine|contains:
          - '--branch'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42284 Vulnerability CVE-2026-42284

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0

CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8097 — CodeAstro Online Classroom SQL Injection

CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 5 IOCs /⚙ 4 Sigma