Malformed Git Object Parsing in go-git Library
CVE-2026-45022

7HIGH

Key Information:

Vendor: Go-git
Status: Go-git
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45022?

The go-git library, an extensible Git implementation in pure Go, has a vulnerability that arises when processing ambiguous or malformed headers in Git commit or tag objects. Prior versions may handle these malformed objects in a way that differs from the original Git implementation. Consequently, the library's signing and verification logic utilizes a reconstructed version of the commit data, which may lead to discrepancies between the actual repository object and the signed payload. This could result in a situation where a commit appears to have a valid signature, even if the underlying metadata diverges from the intended object.

Affected Version(s)

go-git < 5.19.0 < 5.19.0

go-git >= 6.0.0-alpha.1, < 6.0.0-alpha.3 < 6.0.0-alpha.1, 6.0.0-alpha.3

References

https://github.com/go-git/go-git/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45022 Data

JSON

Go-git

What is CVE-2026-45022?

Affected Version(s)

References

CVSS V4

Timeline