CVE-2026-45570

CVE-2026-45570 is a low-severity security vulnerability in github.com/go-git/go-git/v5 (go), affecting versions <= 5.19.0. It is fixed in 5.19.1, 6.0.0-alpha.4.

Summary

Credit

Thanks to @N0zoM1z0 for reporting this to the go-git project. :bow:

Impact

go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through sq_quote_buf so that an embedded ' becomes the '\'' close-escape-reopen sequence and the whole path round-trips as a single quoted argument.

A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is /bin/sh or /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH_ORIGINAL_COMMAND), those additional tokens execute in that account's command-execution context. SSH servers that tokenize the exec command without shell evaluation, including the canonical git-shell setup, are not affected.

The vulnerable behaviour is on the SSH server side, not in go-git: the same bytes can be produced by any SSH client. The change in go-git is defense-in-depth that restores parity with canonical Git's wire format and prevents go-git from being a vehicle for reaching shell-evaluating servers through attacker-influenced repository paths.

Affected versions

github.com/go-git/go-git/v5 (<= 5.19.0) github.com/go-git/go-git/v6 (<= 6.0.0-alpha.3) github.com/go-git/go-git (<= 4.7.0)

Security releases

github.com/go-git/go-git/v5 → 5.19.1 (go) github.com/go-git/go-git/v6 → 6.0.0-alpha.4 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Users should upgrade to a patched version in order to mitigate this issue. The fix ports sq_quote_buf from canonical Git into go-git's SSH transport so that the wire output is byte-identical to what git itself would send for the same input.

Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

Frequently Asked Questions

  1. What is CVE-2026-45570? CVE-2026-45570 is a low-severity security vulnerability in github.com/go-git/go-git/v5 (go), affecting versions <= 5.19.0. It is fixed in 5.19.1, 6.0.0-alpha.4.
  2. Which packages are affected by CVE-2026-45570?
    • github.com/go-git/go-git/v5 (go) (versions <= 5.19.0)
    • github.com/go-git/go-git/v6 (go) (versions <= 6.0.0-alpha.3)
    • github.com/go-git/go-git (go) (versions <= 4.7.0)
  3. Is there a fix for CVE-2026-45570? Yes. CVE-2026-45570 is fixed in 5.19.1, 6.0.0-alpha.4. Upgrade to this version or later.
  4. Is CVE-2026-45570 exploitable, and should I be worried? Whether CVE-2026-45570 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-45570 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-45570?
    • Upgrade github.com/go-git/go-git/v5 to 5.19.1 or later
    • Upgrade github.com/go-git/go-git/v6 to 6.0.0-alpha.4 or later

Other vulnerabilities in github.com/go-git/go-git/v5

CVE-2026-45571CVE-2026-45570CVE-2026-45022CVE-2026-41506CVE-2026-34165

Stop the waste.
Protect your environment with Kodem.