HarborGuard / CVE
Back to search
CRITICALCVE-2026-45261Published Modified CNA GitHub_M

CVE-2026-45261: GitButler: Link injection via forge integration enables arbitrary script execution

GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a link-injection vulnerability in the Tauri-based GitButler desktop application that leads to arbitrary script execution (remote code execution). An attacker with a low-privilege account injects a malicious link into a pull request body; if a victim clicks that link inside the GitButler interface, the Tauri webview executes arbitrary scripts without further restriction. Successful exploitation gives the attacker full read, write, and availability impact on both the local and any connected system scope. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-45261 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle GitButler or its dependencies. Any image carrying an affected version of gitbutler (below 0.19.7) is flagged immediately upon scan or on the next scheduled pipeline run.

Available
Triage

HarborGuard scores this CVE at 9.3 CVSS v4.0 (Critical) and surfaces it with that severity weighting in each customer's triage queue, adjusted against per-environment compliance policy settings. Routing rules direct the alert to the team or inbox configured for critical-severity findings within each customer organization.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release appears upstream. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must deliver the malicious pull request link over the network to a target GitButler instance with forge integration enabled.

  • AuthenticationRequired

    The attacker needs at least a low-privilege account sufficient to open or comment on a pull request and inject the malicious link.

  • Victim interactionRequired

    A victim must actively click the injected link inside the GitButler interface for the Tauri webview to execute the malicious script.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions or special environmental factors are required beyond the victim having forge integration enabled.

Blast Radius

  • The attacker executes arbitrary scripts inside the Tauri webview, giving full code execution on the victim's local machine.
  • Confidential data accessible to the desktop application, including repository contents, credentials, and session tokens, is readable by the attacker.
  • The attacker can write or modify files and repository state on the victim's machine.
  • Because CVSS v4.0 subsequent-system impact is also rated High across all dimensions, any networked resources the victim's machine has access to are reachable for further read, write, or disruption actions.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical severity and tracked continuously against all customer images that include an affected GitButler build. Because no upstream patch exists at this time, HarborGuard re-checks the advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment version 0.19.7 or a later fix is published upstream; for customers with auto-remediation enabled, that rebuild includes a regression test run and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include disabling forge integration in GitButler deployments where it is not operationally required, applying network-policy rules to restrict the GitButler host from reaching untrusted forge endpoints, and using egress filtering to block unexpected outbound connections from developer workstations running the application.

See how HarborGuard automates this

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • gitbutlerapp / gitbutler
    < 0.19.7
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References