Command Injection Vulnerability in gix-submodule by Gitoxide
CVE-2026-40034

7.3HIGH

Key Information:

Vendor

Gitoxide

Status
Gitoxide
Vendor
CVE Published:
26 May 2026

What is CVE-2026-40034?

The gix-submodule component of Gitoxide, prior to version 0.82.0, fails to validate updates specified in the .gitmodules file. This flaw enables unauthorized users to bypass the CommandForbiddenInModulesConfiguration security measure. By manipulating the update field with partial configurations in .git/config, an attacker can inject and execute arbitrary shell commands when the Submodule::update() function is called. This could lead to remote execution of malicious code, posing a significant security risk to affected systems.

Affected Version(s)

gitoxide 0 < 0.82.0

gitoxide 0.82.0

References

https://github.com/GitoxideLabs/gitoxide/security/advisor...
vendor-advisory
https://github.com/GitoxideLabs/gitoxide/commit/6a2e6a436...
patch
https://github.com/GitoxideLabs/gitoxide/commit/dd5c18d9e...
patch

CVSS V4

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.