Home

Description

gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.

PUBLISHED Reserved 2026-04-08 | Published 2026-05-26 | Updated 2026-05-28 | Assigner VulnCheck




HIGH: 7.3CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Product status

Default status
unaffected

Any version before 0.5.21
affected

0.5.21 (semver)
unaffected

Default status
unaffected

Any version before 0.29.0
affected

0.29.0 (semver)
unaffected

Default status
unaffected

Any version before 0.84.0
affected

0.84.0 (semver)
unaffected

References

github.com/...toxide/security/advisories/GHSA-f26g-jm89-4g65 exploit

github.com/...toxide/security/advisories/GHSA-f26g-jm89-4g65 (GHSA Advisory GHSA-f26g-jm89-4g65) vendor-advisory

github.com/...ommit/6a2e6a436f76c8bbf2487f9967413a51356667a0 patch

github.com/...ommit/dd5c18d9e526e8de462fa40aa047acd097cfa7dc patch

red.anthropic.com/2026/cvd/findings/ANT-2026-6SNS6KMP (Anthropic CVD Finding ANT-2026-6SNS6KMP) third-party-advisory

www.vulncheck.com/...al-gitmodules-override-in-gix-submodule (VulnCheck Advisory: gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule) third-party-advisory

cve.org (CVE-2026-40034)

nvd.nist.gov (CVE-2026-40034)

Download JSON