Symlink Vulnerability in gitoxide by GitoxideLabs
CVE-2026-44471

7.8HIGH

Key Information:

Vendor: Gitoxidelabs
Status: Gitoxide
Vendor: CVE Published:; 13 May 2026

🔔 Create Gitoxidelabs Vulnerability Alert

What is CVE-2026-44471?

A vulnerability in gitoxide prior to version 0.21.1 allows an attacker to construct a malicious tree that can create symlinks within any user-accessible directory. This occurs because during the checkout process, symlink entries are created after regular files, which allows the exploitation of directory structures using cached path prefixes. As a result, users could inadvertently create symlinks controlled by the attacker, leading to potential security risks such as unauthorized access to sensitive data. The issue has been resolved in version 0.21.1, which mitigates the symlink creation flaw by enforcing appropriate checks.

Affected Version(s)

gitoxide < 0.21.1

References

https://github.com/GitoxideLabs/gitoxide/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44471 Data

JSON