CVE-2026-41506

CVSS v3.1

7.4

High

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions go-git versions prior to 5.18.0 go-git versions prior to 6.0.0-alpha.2

Description During smart-HTTP clone and fetch operations, the library may leak HTTP authentication credentials when following redirects. If a remote repository responds to the initial '/info/refs' request with a redirect to a different host, the session endpoint is updated to the redirected location and the original authentication, such as Authorization headers, is reused for subsequent requests. This allows an attacker controlling the redirect target to capture credentials and potentially access the victim's repositories or other resources. This issue occurs when interacting with untrusted or misconfigured Git servers or when using unsecured HTTP connections.

Recommendations Update to version 5.18.0. Update to version 6.0.0-alpha.2.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CLEANSTART-2026-GN78570

CLEANSTART-2026-NT80635

CLEANSTART-2026-VT65447

CVE-2026-41506

GHSA-3XC5-WRHM-F963

OPENSUSE-SU-2026:10765-1

OPENSUSE-SU-2026:10771-1

OPENSUSE-SU-2026:10803-1

OPENSUSE-SU-2026:10830-1

RHSA-2026:17669

Affected Products

Go-Git

CVE-2026-41506

Weakness Enumeration

Related Identifiers

Affected Products

References · 132