CVE-2026-44243

Name of the Vulnerable Software and Affected Versions GitPython versions prior to 3.1.48

Description Insufficient validation of reference paths in reference creation, rename, and delete operations allows attackers to write, overwrite, move, or delete files outside the repository's .git directory. This path traversal issue occurs because reference paths are not consistently validated before filesystem operations, despite some validation existing for read operations. Specifically, the functions SymbolicReference.create(), Reference.create(), SymbolicReference.set reference(), SymbolicReference.rename(), and SymbolicReference.delete() construct filesystem paths from attacker-controlled reference names without enforcing repository boundaries.

Recommendations Update to version 3.1.48 or later. As a temporary workaround, restrict or disable the use of SymbolicReference.create(), Reference.create(), SymbolicReference.set reference(), SymbolicReference.rename(), and SymbolicReference.delete() when processing user-controlled input.