ZeroPath at Black Hat USA 2026

GitPython CVE-2026-42215: Brief Summary of kwargs Bypass Enabling Remote Code Execution

A brief summary of CVE-2026-42215, a high severity command injection vulnerability in GitPython where underscore form kwargs bypass unsafe option checks, enabling arbitrary command execution in four core Git operations.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-07

GitPython CVE-2026-42215: Brief Summary of kwargs Bypass Enabling Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A validation order bug in GitPython allows attackers to bypass the library's built in protections against dangerous Git options, turning four commonly used API methods into vectors for arbitrary command execution. Any application that forwards user controlled kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() is vulnerable, even when the allow_unsafe_options parameter is left at its default value of False.

GitPython is a widely used Python library for programmatic interaction with Git repositories. It serves as a foundational dependency in CI/CD pipelines, repository management platforms, and developer tooling across the Python ecosystem. The project is currently in maintenance mode, receiving only safety relevant fixes.

Technical Information

Root Cause: Validation Order Bug in cmd.py

The vulnerability originates from a mismatch between when GitPython validates kwargs for unsafe options and when it normalizes those kwargs into command line flags.

GitPython explicitly treats Git helper command options such as --upload-pack and --receive-pack as unsafe because they can be leveraged to execute arbitrary commands on the host system. The function Git.check_unsafe_options() in git/cmd.py is responsible for blocking these options. It correctly identifies and rejects option names in their dash form: upload-pack and receive-pack.

However, GitPython also provides a separate transformation step via Git.transform_kwarg(), which converts Python style underscore kwargs into Git style dash flags. For example, upload_pack becomes --upload-pack. The critical flaw is that check_unsafe_options() runs before this dashification occurs. When a caller passes upload_pack (with an underscore), the safety check sees only the underscore form, does not recognize it as dangerous, and allows it through. The kwarg is then transformed into --upload-pack and passed directly to the Git subprocess.

Affected API Surfaces

Four core GitPython methods are affected, each with a specific dangerous kwarg mapping:

API MethodVulnerable KwargResulting Git Flag
Repo.clone_from()upload_pack--upload-pack
Remote.fetch()upload_pack--upload-pack
Remote.pull()upload_pack--upload-pack
Remote.push()receive_pack--receive-pack

The distinction is straightforward: calling remote.fetch(**{"upload-pack": helper}) is correctly blocked with an UnsafeOptionError, but calling remote.fetch(upload_pack=helper) passes validation and reaches helper execution.

Attack Flow

  1. The attacker identifies an application that uses GitPython and passes externally influenced data into one of the four affected methods as kwargs.
  2. The attacker supplies a value for upload_pack (or receive_pack for push operations) containing a path to a malicious executable or a shell command.
  3. GitPython's check_unsafe_options() inspects the kwarg name upload_pack, does not match it against the blocked list (which contains the dash form), and allows it through.
  4. transform_kwarg() converts upload_pack to --upload-pack and appends the attacker controlled value.
  5. Git executes the specified helper command, achieving arbitrary command execution on the host.

CVSS v3.1 Breakdown

The CVSS 8.8 HIGH score reflects a low barrier to exploitation with severe consequences:

MetricValueImplication
Attack VectorNetworkExploitable remotely
Attack ComplexityLowNo special conditions required
Privileges RequiredLowMinimal authentication needed
User InteractionNoneFully automated exploitation possible
ConfidentialityHighFull data compromise possible
IntegrityHighAbility to modify repositories or artifacts
AvailabilityHighPotential to disrupt services

Realistic Attack Surfaces

The prerequisite for exploitation is that an attacker must control a value that ends up as the upload_pack or receive_pack kwarg. This is realistic in several scenarios:

  • Web applications that allow users to configure repository import behavior or mirror settings
  • Systems that accept a user provided dictionary of extra Git options and pass them through to GitPython
  • CI/CD systems that construct GitPython calls from untrusted integration configuration or webhook payloads

Affected Systems and Versions

GitPython versions greater than or equal to 3.1.30 and strictly less than 3.1.47 are affected. The unsafe option checking mechanism was introduced in version 3.1.30, but the validation order bug meant the protection was incomplete from the start. Version 3.1.47 resolves the issue.

Any application or service that depends on an affected GitPython version and passes externally influenced kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() is vulnerable, regardless of the allow_unsafe_options setting.

Multiple Linux distributions have acknowledged the vulnerability. Ubuntu has published a security advisory for CVE-2026-42215, and Fedora has pushed updates through its testing pipeline.

Vendor Security History

GitPython has a documented pattern of input validation vulnerabilities leading to remote code execution. Most notably, CVE-2022-24439 affected all versions of the package and allowed RCE through improper validation of user input, making it possible to inject a maliciously crafted remote URL into the clone command. The unsafe option checking mechanism introduced in version 3.1.30 was itself a response to this class of vulnerability, making the bypass discovered in CVE-2026-42215 particularly notable: the mitigation for the prior vulnerability class was itself incomplete.

The project is currently in maintenance mode, with the documentation stating that there will be no feature development unless contributed and no bug fixes unless they are relevant to user safety. Despite this reduced posture, the maintainers released version 3.1.47 specifically to address security issues related to bypassing injection protection of unsafe Git flags.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization