CVE-2026-44471: gitoxide Symlink Vulnerability Exposes Filesystem to Attack

/HIGH /CVSS 7.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-59
CVE-2026-44471: gitoxide Symlink Vulnerability Exposes Filesystem to Attack

The National Vulnerability Database has disclosed CVE-2026-44471, a high-severity vulnerability (CVSS 7.8) affecting gitoxide versions prior to 0.21.1. This flaw, categorized as CWE-59 (Improper Link Resolution Before File Access), allows an attacker to craft a malicious Git tree. When this tree is checked out with gitoxide, it enables the writing of an attacker-controlled symlink into any existing directory where the user has write access.

The vulnerability stems from gitoxide’s handling of symlink index entries during checkout. These entries are deferred and created after regular files, utilizing a shared gix_worktree::Stack and gix_fs::Stack. The gix_fs::Stack::make_relative_path_current() function caches validated path prefixes. When a previously processed leaf component matches the leading components of the next path, the system bypasses critical on-disk symlink_metadata() checks and unlink-on-collision logic. This bypass occurs because Attributes::push_directory() only loads attributes without performing other crucial security checks.

Attackers can exploit this by providing a Git tree with duplicate symlink and directory entries. The final symlink is created using std::os::unix::fs::symlink, which inherently follows symlinks in parent directories, leading to arbitrary file write. This means an attacker can plant a symlink pointing to sensitive locations, potentially leading to privilege escalation or system compromise. Defenders must prioritize patching to version 0.21.1 to mitigate this risk.

What This Means For You

  • If your organization uses `gitoxide` for Git operations, you are exposed to a critical arbitrary file write vulnerability. Attackers can leverage this to place malicious symlinks, potentially overwriting critical system files or achieving persistent access. Immediately identify all `gitoxide` installations and ensure they are updated to version 0.21.1 or later. This isn't theoretical; it's a direct path to filesystem manipulation.

Related ATT&CK Techniques

T1571 Non-Standard Port Command and Control T1071.004 SSHP Command and Control T1048.003 Unencrypted Remote Services Exfiltration

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1571 Defense Evasion

CVE-2026-44471: gitoxide Symlink Creation in Unexpected Directories

Sigma YAML — free preview 
title: CVE-2026-44471: gitoxide Symlink Creation in Unexpected Directories
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
  This rule detects the creation of symlinks within .git directories, which is a key indicator of the CVE-2026-44471 vulnerability. A malicious git tree, when checked out by an affected gitoxide version, can lead to the creation of attacker-controlled symlinks in arbitrary directories the user has write access to. This specific detection focuses on symlinks being created within .git directories, a common target for such attacks to hide malicious content or establish persistence.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44471/
tags:
  - attack.defense_evasion
  - attack.t1571
logsource:
    category: file_event
detection:
  selection:
      EventType: 'symlink_creation'
      TargetFilename|contains:
          - '/.git/'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44471 Path Traversal gitoxide versions prior to 0.21.1
CVE-2026-44471 Arbitrary File Write gitoxide checkout process with malicious tree containing symlinks
CVE-2026-44471 Logic Error gix_fs::Stack::make_relative_path_current() caching validated path prefixes bypasses checks in gix_worktree::stack::delegate::StackDelegate

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-32991: Team Member Privilege Escalation to Owner Account

CVE-2026-32991 — Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

vulnerabilityCVEhigh-severitycwe-863
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-29206: SQL Injection in sqloptimizer via Slow Query Logs

CVE-2026-29206 — Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 7 Sigma

OPNsense RCE: Critical Flaw Allows Root Access via DHCP Input

CVE-2026-45158 — OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 4 IOCs /⚙ 3 Sigma