PatchSiren cyber security CVE debrief
CVE-2026-52726 jelmer CVE debrief
A vulnerability was discovered in Dulwich, a pure-Python implementation of the Git file formats and protocols. The issue affects versions starting from 0.23.2 up to, but not including, 1.2.5. Specifically, the `dulwich.porcelain.submodule_update` and `porcelain.clone(..., recurse_submodules=True)` functions do not validate paths from a crafted upstream repository. This allows an attacker to write submodule tree contents directly into the victim's `.git/hooks/` directory, preserving executable mode bits. Subsequently, any `git` or `dulwich` command that invokes the matching hook will execute the dropped executables, leading to arbitrary code execution. This vulnerability is similar to CVE-2024-32002 and CVE-2024-32004 in Git but was never addressed in Dulwich's submodule porcelain implementation. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.
- Vendor
- jelmer
- Product
- dulwich
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of Dulwich, especially those who use `dulwich.porcelain.submodule_update` or `porcelain.clone` with `recurse_submodules=True`, should be aware of this vulnerability. This includes developers and users of Git repositories that utilize Dulwich for interactions with Git repositories.
Technical summary
The vulnerability arises from the lack of path validation in `dulwich.porcelain.submodule_update` and `porcelain.clone(..., recurse_submodules=True)`. An attacker can exploit this by crafting a malicious `.gitmodules` file and a matching tree gitlink with a path like `.git/hooks`. This allows the attacker to write executable code into the `.git/hooks/` directory of the victim's repository, which can then be executed by subsequent `git` or `dulwich` commands.
Defensive priority
High
Recommended defensive actions
- Update Dulwich to version 1.2.5 or later.
- Avoid using `dulwich.porcelain.submodule_update` or `porcelain.clone` with `recurse_submodules=True` with untrusted repositories.
- Ensure that all submodule updates are performed from trusted sources.
Evidence notes
The vulnerability was patched in Dulwich version 1.2.5. Users can find more information and the patch at [ref-4](https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5) and [ref-5](https://github.com/jelmer/dulwich/security/advisories/GHSA-gfhv-vqv2-4544).
Official resources
CVE-2026-52726 was published on 2026-06-10T23:16:50.143Z and modified on 2026-06-11T15:21:07.370Z.