Description
gix-submodule before 0.82.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.
Published: 2026-05-26
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises in the gix-submodule component of the gitoxide project, prior to version 0.82.0. The update field within a .gitmodules file is not properly validated, allowing an attacker to insert arbitrary shell commands. When Submodule::update() is invoked on a submodule that was initialized with only partial configuration stored in .git/config, the injected commands are executed. The result is remote code execution on any system that runs the vulnerable update routine.

Affected Systems

The affected product is gitoxide, specifically its git submodule handling code before version 0.82.0. Users of older gitoxide releases that interact with submodules and rely on the .gitmodules update field must update to 0.82.0 or later, as earlier versions lack the validation guard.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity impact, and the vulnerability is listed as not present in the KEV catalog. The EPSS score is not available, so exploitation likelihood cannot be quantified. Based on the description, it is inferred that an attacker must gain the ability to modify a repository's .gitmodules file or otherwise influence the submodule configuration, then trigger Submodule::update(). Upon successful exploitation, arbitrary shell commands are executed with the privileges of the process performing the update. Therefore the risk profile is high for environments that automatically run submodule updates on untrusted repositories.

Generated by OpenCVE AI on May 26, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gitoxide to version 0.82.0 or newer.
  • If upgrading is not immediately possible, ensure that submodule updates are disabled or that the update command is configured to ignore or sanitize the update field.
  • Regularly review and validate the contents of .gitmodules files, especially in repositories that are accessed by external contributors or deployment tools.

Generated by OpenCVE AI on May 26, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description gix-submodule before 0.82.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.
Title gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T15:07:43.895Z

Reserved: 2026-04-08T13:36:56.793Z

Link: CVE-2026-40034

cve-icon Vulnrichment

Updated: 2026-05-26T15:00:17.708Z

cve-icon NVD

Status : Received

Published: 2026-05-26T15:16:35.087

Modified: 2026-05-26T16:16:24.397

Link: CVE-2026-40034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:30:08Z

Weaknesses