CVE-2026-44243: GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository

May 6, 2026 (updated May 8, 2026)

A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations.

References

github.com/advisories/GHSA-7545-fcxq-7j24
github.com/gitpython-developers/GitPython
github.com/gitpython-developers/GitPython/releases/tag/3.1.48
github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24
nvd.nist.gov/vuln/detail/CVE-2026-44243

Code Behaviors & Features

Detect and mitigate CVE-2026-44243 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →