HIGH🇬🇧 English

CVE-2026-45033

CVSS 8.5v4.0pub. 2026-05-13upd. 2026-06-02

GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.

oryginał EN
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • GitHub Copilot Cli

    APP
    Github
    < 1.0.43
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEPath Traversal
CWE
Referencje

Powiązane podatności

CVE-2026-9312CRITICAL9.2ten sam vendor

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an ...

CVE-2024-9487CRITICAL9.5PL ✓ten sam vendor

Obejście uwierzytelniania SAML SSO w GitHub Enterprise Server

CVE-2024-6800CRITICAL9.5PL ✓ten sam vendor

XML Signature Wrapping w GitHub Enterprise Server — fałszowanie SAML

CVE-2024-4985CRITICAL10.0PL ✓ten sam vendor

Authentication bypass w GitHub Enterprise Server via SAML SSO

CVE-2024-2443CRITICAL9.1PL ✓ten sam vendor

Command injection w GitHub Enterprise Server — eskalacja do admina SSH

CVE-2026-45033 — HIGH 8.5 | CVEbaza.pl