Summary
A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval.
Details
Git supports bare repositories, repositories without a working tree, which can be discovered automatically when git traverses the directory hierarchy looking for a .git directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.
The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse.
Attack Scenario
An attacker can exploit this by:
- Creating a bare git repository nested inside a seemingly normal project directory (e.g.,
vendor/malicious.git/or a deeply nested subdirectory) - Configuring
core.fsmonitor(or similar keys) in that bare repository to execute a malicious command - When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker's command
This can occur when:
- The agent navigates into a subdirectory containing the buried bare repo
- The agent runs
git status,git diff, or other routine git commands - The agent uses tools like
greporglobthat may trigger git operations in subdirectories
Prior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.
Affected Versions
- GitHub Copilot CLI versions prior to 1.0.42
Remediation and Mitigation
User Actions
- Upgrade GitHub Copilot CLI to 1.0.43 or later.
- Exercise caution when working in repositories that contain nested bare git repositories.
- Review project directories for unexpected bare repositories, especially in
vendor/,third_party/, or deeply nested subdirectories.
Impact
An attacker who can place a malicious bare repository inside a project, for example, through:
- A pull request adding a directory that contains a bare repository
- A compromised or malicious dependency that includes a bare repository
- A cloned repository that already contains nested bare repositories
could achieve arbitrary code execution on the user's workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.
Successful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.
CVE-2026-45033 has a CVSS score of 7.8 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.0.43); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
The fix sets safe.bareRepository=explicit via git's GIT_CONFIG_COUNT / GIT_CONFIG_KEY_* / GIT_CONFIG_VALUE_* environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal, only explicitly allowlisted bare repositories will be used.
Frequently Asked Questions
- What is CVE-2026-45033? CVE-2026-45033 is a high-severity security vulnerability in @github/copilot (npm), affecting versions <= 1.0.42. It is fixed in 1.0.43.
- How severe is CVE-2026-45033? CVE-2026-45033 has a CVSS score of 7.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @github/copilot are affected by CVE-2026-45033? @github/copilot (npm) versions <= 1.0.42 is affected.
- Is there a fix for CVE-2026-45033? Yes. CVE-2026-45033 is fixed in 1.0.43. Upgrade to this version or later.
- Is CVE-2026-45033 exploitable, and should I be worried? Whether CVE-2026-45033 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-45033 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-45033? Upgrade
@github/copilotto 1.0.43 or later.