CVE-2026-45033

Name of the Vulnerable Software and Affected Versions GitHub Copilot CLI versions prior to 1.0.43

Description An issue exists where a malicious bare git repository nested inside a project directory can lead to arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can configure executable keys to run arbitrary commands without user awareness or approval. This occurs because certain git configuration keys, such as core.fsmonitor, core.hookspath, diff.external, and merge.tool, can specify shell commands that git executes during normal operations like status, diff, or rev-parse.

Recommendations Update GitHub Copilot CLI to version 1.0.43 or later. Exercise caution when working in repositories that contain nested bare git repositories. Review project directories for unexpected bare repositories, especially in vendor/, third party/, or deeply nested subdirectories.