CVE-2026-52726
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk27th percentile - higher than 27% of all known CVEs
Summary
Dulwich, a pure-Python implementation of Git file formats and protocols, has a vulnerability that allows for the injection of attacker-controlled submodule paths from a malicious repository. Versions from 0.23.2 to prior to 1.2.5 do not validate paths, leading to arbitrary code execution.
Risk Assessment
Organizations may be exposed to arbitrary code execution due to unauthorized access to the `.git/hooks` directory, potentially leading to serious security breaches.
Recommendation
It is recommended to upgrade to version 1.2.5 or later to patch this vulnerability and secure the system against potential attacks.
Original NVD description (English source)
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.

