PatchSiren cyber security CVE debrief
CVE-2026-45570 go-git CVE debrief
go-git is a pure Go implementation of Git operations used by many applications for programmatic repository interaction. This CVE documents a command injection vulnerability in the library's SSH transport layer where repository paths containing single quotes are not properly escaped when constructing remote exec commands. The vulnerability allows path contents to break out of quoted regions and append additional shell tokens to the executed command. The attack requires a victim to clone or interact with a maliciously named repository path, making exploitation dependent on social engineering or supply chain scenarios where an attacker controls repository naming. The CVSS 4.0 score of 2.3 (LOW) reflects the need for user interaction and the limited scope of impact. The vulnerability is patched in go-git versions 5.19.1 and 6.0.0-alpha.4. Organizations using go-git for SSH-based Git operations should inventory dependencies and upgrade to patched versions.
- Vendor
- go-git
- Product
- Unknown
- CVSS
- LOW 2.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Development teams using go-git for Git automation, DevOps engineers managing CI/CD pipelines with go-git dependencies, security teams tracking supply chain risks in Go applications
Technical summary
The go-git library's SSH transport constructs remote exec commands by wrapping repository paths in single quotes without escaping embedded single quotes. A repository path containing a single quote character can break out of the quoted region and inject additional shell tokens into the executed command. This represents improper output encoding (CWE-116) where metacharacters in data are not neutralized before being passed to a command shell. The vulnerability is exploitable when a user clones or interacts with a repository via SSH where the path contains malicious single quote characters. The fix in versions 5.19.1 and 6.0.0-alpha.4 properly escapes or handles single quotes in repository paths during SSH command construction.
Defensive priority
routine
Recommended defensive actions
- Inventory applications and services using go-git library for SSH Git operations
- Upgrade go-git to version 5.19.1 or 6.0.0-alpha.4 or later
- Review repository path handling in custom applications built on go-git
- Monitor for anomalous SSH Git operations involving repository paths with special characters
- Validate repository path inputs in applications that construct Git URLs or paths programmatically
Evidence notes
CVE published 2026-05-27. Advisory confirms fix in 5.19.1 and 6.0.0-alpha.4. CVSS 4.0 vector indicates network attack vector with required user interaction and partial attack complexity.
Official resources
-
CVE-2026-45570 CVE record
CVE.org
-
CVE-2026-45570 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27