PatchSiren cyber security CVE debrief
CVE-2026-45022 go-git CVE debrief
go-git is a pure Go implementation of Git used by many tools and services for programmatic repository operations. This vulnerability affects versions prior to 5.19.0 and 6.0.0-alpha.3, where malformed Git objects may be parsed differently than upstream Git would handle them. When commit or tag objects contain ambiguous or malformed headers, go-git's internal representation can expose values that diverge from Git's interpretation. More critically, go-git's commit signing and verification operates on reconstructed data from its parsed representation rather than original raw object bytes. This creates a signature validity gap: a signature may verify successfully against go-git's reconstructed payload while the effective commit metadata differs from what was intended to be signed. The CVSS 4.0 vector indicates network attack vector with high attack complexity, low privileges required, and high impact to integrity of both the vulnerable system and subsequent systems. The weakness classifications are CWE-180 (Incorrect Behavior Order: Validate Before Canonicalize) and CWE-345 (Insufficient Verification of Data Authenticity). Fixes are available in go-git 5.19.0 and 6.0.0-alpha.3.
- Vendor
- go-git
- Product
- Unknown
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations using go-git library for Git operations, particularly those implementing automated commit signing, verification, or attestation workflows; CI/CD platform operators; supply chain security teams; developers of Go-based Git tooling
Technical summary
The vulnerability stems from two architectural behaviors in go-git: (1) parsing of malformed Git object headers that may not match upstream Git's rejection or canonicalization behavior, and (2) commit signing/verification operating on reconstructed data from go-git's internal representation rather than the original raw object bytes. This creates a canonicalization attack surface where an attacker could craft a malformed commit that go-git interprets differently than Git itself, yet still produces a valid-appearing signature. The reconstructed payload for signing/verification may not be byte-for-byte identical to the stored object, breaking the cryptographic binding between signature and intended content. This affects integrity guarantees in automated signing workflows, CI/CD systems, and any application relying on go-git for commit verification without cross-checking against upstream Git.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade go-git to version 5.19.0 or 6.0.0-alpha.3 or later
- Audit applications using go-git for commit signing/verification workflows
- Review signed commits in repositories processed by affected go-git versions for potential integrity discrepancies
- Verify that CI/CD pipelines and automated tooling using go-git are updated to fixed versions
- Consider additional signature verification using upstream Git for high-assurance scenarios
Evidence notes
CVE description confirms affected versions prior to 5.19.0 and 6.0.0-alpha.3; GitHub Security Advisory GHSA-389r-gv7p-r3rp is cited as primary reference; CVSS 4.0 vector provided in source metadata; CWE-180 and CWE-345 identified as weakness classifications.
Official resources
-
CVE-2026-45022 CVE record
CVE.org
-
CVE-2026-45022 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27