CVE-2026-41506
Description
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-41506 NameCVE-2026-41506 Descriptiongo-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec,โฆ
CVE-2026-41506
| Name | CVE-2026-41506 |
| Description | go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1136095 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-github-go-git-go-git (PTS) | bookworm | 5.4.2-3 | vulnerable |
| trixie | 5.14.0-1 | vulnerable | |
| forky, sid | 5.19.1-1 | fixed | |
| golang-github-go-git-go-git-v6 (PTS) | forky | 6~git20260305.2083cf94-3 | vulnerable |
| sid | 6.0.0~alpha.4-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-github-go-git-go-git | source | (unstable) | 5.19.1-1 | 1136095 | ||
| golang-github-go-git-go-git-v6 | source | (unstable) | 6.0.0~alpha4-1 |
Notes
https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
Fixed by: https://github.com/go-git/go-git/commit/bcd20a9c525826081262a06a9ed9c3167abfcd53 (v5.18.0)
Apply commands
https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963Fixed by: https://github.com/go-git/go-git/commit/bcd20a9c525826081262a06a9ed9c3167abfcd53 (v5.18.0)OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Mixed 4 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | โ |
| sid | Fixed | 5.19.1-1 |
| forky | Fixed | 5.19.1-1 |
| bookworm | Affected | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/go-git/go-git/v5 | <5.18.0 | 5.18.0 |
| Go | github.com/go-git/go-git/v6 | <6.0.0-alpha.2 | 6.0.0-alpha.2 |
| GO | github.com/go-git/go-git/v6 | <= 6.0.0-alpha.1 | 6.0.0-alpha.2 |
| GO | github.com/go-git/go-git/v5 | <= 5.17.2 | 5.18.0 |
References
- https://github.com/go-git/go-git/releases/tag/v5.18.0
- https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2
- https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
- https://nvd.nist.gov/vuln/detail/CVE-2026-41506
- https://github.com/go-git/go-git
- https://security-tracker.debian.org/tracker/CVE-2026-41506
- https://www.suse.com/security/cve/CVE-2026-41506.html
- https://github.com/advisories/GHSA-3xc5-wrhm-f963
CWEs
CWE-522
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.