simple-git RCE: Incomplete Fix Leaves Critical Vulnerability Open

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-94
simple-git RCE: Incomplete Fix Leaves Critical Vulnerability Open

The National Vulnerability Database has disclosed CVE-2026-6951, a critical Remote Code Execution (RCE) vulnerability in versions of the simple-git package prior to 3.36.0. This flaw stems from an incomplete fix for CVE-2022-25912. While the previous patch blocked the -c option in Git commands, it failed to account for the equivalent --config form.

Attackers can exploit this oversight if untrusted input is passed to the options argument of simple-git. By enabling protocol.ext.allow=always and leveraging an ext:: clone source, a malicious actor can achieve remote code execution. This is not a theoretical concern; it’s a bypass that reopens a previously patched attack vector.

With a CVSS score of 9.8, this vulnerability is critical. It underscores the challenge of fully patching complex issues and the need for thorough validation across all permutations of command-line arguments. Defenders must assume attackers are actively probing for such incomplete fixes.

What This Means For You

  • If your development environment or applications rely on `simple-git`, you are exposed to critical RCE. Immediately identify all instances of `simple-git` in your codebase and ensure they are updated to version 3.36.0 or higher. Audit any code that passes untrusted input to `simple-git` options, as this is the primary attack vector. This isn't just about updating a library; it's about closing a clear path for attackers to compromise your systems.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1204.002 Malicious File: User Execution Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1059.004 Execution

CVE-2026-6951 - SimpleGit RCE via --config option

Sigma YAML — free preview 
title: CVE-2026-6951 - SimpleGit RCE via --config option
id: scw-2026-04-25-ai-1
status: experimental
level: critical
description: |
  Detects the use of the '--config protocol.ext.allow=always' and 'ext::' parameters in the command line, which is a specific indicator of the CVE-2026-6951 vulnerability exploitation in simple-git. This allows an attacker to achieve RCE by bypassing security measures and executing arbitrary commands.
author: SCW Feed Engine (AI-generated)
date: 2026-04-25
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-6951/
tags:
  - attack.execution
  - attack.t1059.004
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'node.exe'
      CommandLine|contains:
          - '--config protocol.ext.allow=always'
          - 'ext::'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6951 RCE package simple-git versions before 3.36.0
CVE-2026-6951 RCE incomplete fix for CVE-2022-25912
CVE-2026-6951 RCE use of --config option with simple-git
CVE-2026-6951 RCE enabling protocol.ext.allow=always and using ext:: clone source

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 25, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-42171: NSIS Privilege Escalation Vulnerability

CVE-2026-42171 — NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to...

vulnerabilityCVEhigh-severitycwe-427
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-41481 — Server-Side Request Forgery

CVE-2026-41481 — LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma

Saltcorn SQL Injection (CVE-2026-41478) Exposes Sensitive Data

CVE-2026-41478 — Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync...

vulnerabilityCVEcriticalhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /CRITICAL /9.9 /⚑ 1 IOC /⚙ 3 Sigma