CVE Catalog

CVE-2026-52726

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

27th percentile - higher than 27% of all known CVEs

Summary

Dulwich, a pure-Python implementation of Git file formats and protocols, has a vulnerability that allows for the injection of attacker-controlled submodule paths from a malicious repository. Versions from 0.23.2 to prior to 1.2.5 do not validate paths, leading to arbitrary code execution.

Risk Assessment

Organizations may be exposed to arbitrary code execution due to unauthorized access to the `.git/hooks` directory, potentially leading to serious security breaches.

Recommendation

It is recommended to upgrade to version 1.2.5 or later to patch this vulnerability and secure the system against potential attacks.

Original NVD description (English source)

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS