GitPython CVE-2026-44244 Allows Remote Code Execution via HooksPath Injection

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
GitPython CVE-2026-44244 Allows Remote Code Execution via HooksPath Injection

The National Vulnerability Database has disclosed CVE-2026-44244, a high-severity vulnerability in GitPython versions prior to 3.1.49. This flaw, rated 7.8 CVSS, stems from GitConfigParser.set_value() failing to validate input for newlines before passing values to Python’s configparser. While GitPython attempts to mitigate newlines by converting them into indented continuation lines, Git itself still interprets an indented [core] stanza as a valid section header.

This parsing discrepancy enables an attacker to inject a malicious core.hooksPath configuration. Any subsequent Git operation that triggers hooks (such as commit, merge, or checkout) will then execute scripts from an attacker-controlled path. This is a critical code execution vector, as it allows arbitrary code to run on a developer’s machine or a CI/CD pipeline.

Defenders must understand the attacker’s calculus here: this is about supply chain poisoning and developer workstation compromise. An attacker isn’t just trying to break a single application; they’re aiming for persistence and lateral movement within the development environment. Patching GitPython is non-negotiable, but also consider the broader implications of how Git repositories are handled and who has write access.

What This Means For You

  • If your development environment or CI/CD pipelines use GitPython, you are at risk. Immediately identify all instances of GitPython in your codebase and ensure they are updated to version 3.1.49 or later. Audit your Git configurations for any suspicious `core.hooksPath` entries, especially in repositories shared or cloned from external sources.

Related ATT&CK Techniques

T1505.003 Server Software Component: Git Privilege Escalation T1059.006 Command and Scripting Interpreter: Python Execution T1204.002 User Execution: Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1059.006 Execution

CVE-2026-44244 - GitPython hooksPath Injection RCE

Sigma YAML — free preview 
title: CVE-2026-44244 - GitPython hooksPath Injection RCE
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  Detects the exploitation of CVE-2026-44244 by identifying the GitPython library being used to set the 'core.hooksPath' configuration, which is a precursor to remote code execution by redirecting Git hooks to an attacker-controlled path.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44244/
tags:
  - attack.execution
  - attack.t1059.006
logsource:
    category: process_creation
detection:
  selection:
      Image|startswith:
          - 'C:\Python'
      CommandLine|contains:
          - 'config --local core.hooksPath'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44244 Code Injection GitPython library prior to version 3.1.49
CVE-2026-44244 Misconfiguration GitConfigParser.set_value() without newline validation
CVE-2026-44244 RCE Injected core.hooksPath leading to execution of attacker-controlled scripts

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0

CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8097 — CodeAstro Online Classroom SQL Injection

CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 5 IOCs /⚙ 4 Sigma