Arbitrary Code Execution Vulnerability in GitHub Copilot CLI
CVE-2026-45033

8.5HIGH

Key Information:

Vendor: Github
Status: Copilot-cli
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-45033?

A security flaw exists in GitHub Copilot CLI that allows for arbitrary code execution through the exploitation of malicious bare git repositories. Prior to version 1.0.43, when users execute git operations, the CLI could inadvertently run commands specified by attackers via git's automatic bare repository discovery feature. This occurs during directory traversal, allowing the attacker to configure executable keys such as core.fsmonitor, which can trigger unauthorized commands without user consent. This defect poses a significant risk as it can be exploited during normal git operations like status, diff, or rev-parse, leading to potential system compromise.

Affected Version(s)

copilot-cli < 1.0.43

References

https://github.com/github/copilot-cli/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45033 Data

JSON

Github

What is CVE-2026-45033?

Affected Version(s)

References

CVSS V4

Timeline