How is CVE-2026-45022 exploited?

Network reachability (required): The attacker must reach the affected go-git service over the network to deliver or inject malformed Git objects. Authentication (required): A low-privilege account (PR:L) is sufficient; the attacker does not need administrative credentials, but some form of authenticated access to push or supply objects is necessary. Victim interaction (not-required): No user action is needed; go-git processes the malformed object automatically during normal parsing or verification operations. Attack complexity (info): Exploitation is rated High complexity (AC:H), meaning the attacker must carefully craft a malformed object that triggers the parsing divergence; success is not guaranteed on every attempt and may depend on specific object structure or parser state.

What is the impact of CVE-2026-45022?

An attacker can cause go-git to accept and record a cryptographic signature as valid over a reconstructed commit payload that does not match the raw bytes in the repository. Commit or tag metadata displayed to developers (author, message, timestamps) may differ from the object that was actually signed, enabling undetected tampering with repository history. Integrity guarantees of signed commit workflows are broken: downstream systems that rely on go-git signature verification to gate deployments or audits may approve malicious or altered commits. Confidentiality of stored data is not affected; the impact is limited to integrity of commit signing and verification.

Back to search

HIGHCVE-2026-45022Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-45022: go-git: Improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a cryptographic signature bypass vulnerability in go-git, a pure-Go Git implementation library. An authenticated attacker can craft malformed Git commit or tag objects that go-git parses differently from upstream Git, causing go-git to sign or verify a reconstructed payload that does not match the raw bytes actually stored in the repository. Successful exploitation lets an attacker make a tampered commit appear to carry a valid cryptographic signature, undermining the integrity of signed commit workflows. No upstream fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45022 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that vendor go-git directly or bundle it as a transitive dependency.

Available

Triage

HarborGuard scores this CVE at 7.0 HIGH using the CVSS v4.0 vector and can weight that score against each environment's compliance policy to surface the finding in the correct team inbox for follow-up prioritization.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates the advisory on every ingest cycle; a patched-image rebuild will become available automatically the moment go-git ships versions 5.19.0 or 6.0.0-alpha.3. In the meantime, customers with auto-remediation enabled can apply compensating controls such as network-policy isolation for services that perform go-git commit verification, or feature-flag gating of signature-verification code paths until upstream ships a fix.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected go-git service over the network to deliver or inject malformed Git objects.
AuthenticationRequired
A low-privilege account (PR:L) is sufficient; the attacker does not need administrative credentials, but some form of authenticated access to push or supply objects is necessary.
Victim interactionNot required
No user action is needed; go-git processes the malformed object automatically during normal parsing or verification operations.
Attack complexityDetail
Exploitation is rated High complexity (AC:H), meaning the attacker must carefully craft a malformed object that triggers the parsing divergence; success is not guaranteed on every attempt and may depend on specific object structure or parser state.

Blast Radius

An attacker can cause go-git to accept and record a cryptographic signature as valid over a reconstructed commit payload that does not match the raw bytes in the repository.
Commit or tag metadata displayed to developers (author, message, timestamps) may differ from the object that was actually signed, enabling undetected tampering with repository history.
Integrity guarantees of signed commit workflows are broken: downstream systems that rely on go-git signature verification to gate deployments or audits may approve malicious or altered commits.
Confidentiality of stored data is not affected; the impact is limited to integrity of commit signing and verification.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously re-checks the CVE-2026-45022 advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment go-git publishes versions 5.19.0 or 6.0.0-alpha.3. While waiting for upstream, customers are advised to consider network-policy isolation for services that call go-git signature-verification or signing APIs, egress filtering to restrict which repositories those services can pull objects from, and feature-flag gating to disable go-git-based commit verification in favor of shelling out to a known-good upstream Git binary where the deployment environment allows. For customers who opt into auto-remediation, HarborGuard will queue a rebuild, regression run, and PR against affected workloads immediately on fix publication, with no manual intervention required.

See how HarborGuard automates this

CVSS v4.0: 7.0
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

go-git / go-git
< 5.19.0 · >= 6.0.0-alpha.1, < 6.0.0-alpha.3

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

References

https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp