Information Disclosure in go-git by the Vendor
CVE-2026-41506

4.7MEDIUM

Key Information:

Vendor: Go-git
Status: Go-git
Vendor: CVE Published:; 8 May 2026

🔔 Create Go-git Vulnerability Alert

What is CVE-2026-41506?

The go-git library, known for its extensibility and written in pure Go, has a vulnerability that allows the potential leakage of HTTP authentication credentials. This occurs during smart-HTTP clone and fetch operations when following redirects. Users of versions prior to 5.18.0 and 6.0.0-alpha.2 are particularly susceptible, but this issue has been addressed in the mentioned updates.

Affected Version(s)

go-git < 5.18.0 < 5.18.0

go-git < 6.0.0-alpha.2 < 6.0.0-alpha.2

References

https://github.com/go-git/go-git/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/go-git/go-git/releases/tag/v5.18.0

x_refsource_MISC

https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41506 Data

.