Description
gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.
Published: 2026-05-26
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises in the gix-submodule component of the gitoxide project, prior to version 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0). The update field within a .gitmodules file is not properly validated, allowing attackers to insert arbitrary shell commands and bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. When Submodule::update() is called on a previously–initialized submodule, the injected commands are executed. The result is remote code execution on any system that runs the vulnerable update routine.

Affected Systems

The affected products are gitoxide, gix, and gix-submodule. Versions of gitoxide before 0.5.21, gix before 0.84.0, and gix-submodule before 0.29.0 incorrectly validate the update field. Users of older releases that interact with submodules and rely on the .gitmodules update field must update to versions 0.5.21, 0.84.0, or 0.29.0 or later respectively.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity impact, and the vulnerability is listed as not present in the KEV catalog. The EPSS score of 0.00017 indicates a very low exploitation probability. Based on the description, it is inferred that an attacker must gain the ability to modify a repository's .gitmodules file or otherwise influence the submodule configuration, then trigger Submodule::update(). Upon successful exploitation, arbitrary shell commands are executed with the privileges of the process performing the update. Therefore the risk profile is high for environments that automatically run submodule updates on untrusted repositories.

Generated by OpenCVE AI on May 28, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gitoxide to version 0.5.21 or newer, gix to 0.84.0 or newer, or gix-submodule to 0.29.0 or newer.
  • If upgrading is not immediately possible, ensure that submodule updates are disabled or that the update command is configured to ignore or sanitize the update field.
  • Regularly review and validate the contents of .gitmodules files, especially in repositories that are accessed by external contributors or deployment tools.

Generated by OpenCVE AI on May 28, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description gix-submodule before 0.82.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution. gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.

Wed, 27 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gitoxidelabs
Gitoxidelabs gitoxide
Vendors & Products Gitoxidelabs
Gitoxidelabs gitoxide

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description gix-submodule before 0.82.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.
Title gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gitoxidelabs Gitoxide
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-28T16:56:58.116Z

Reserved: 2026-04-08T13:36:56.793Z

Link: CVE-2026-40034

cve-icon Vulnrichment

Updated: 2026-05-26T15:00:17.708Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T15:16:35.087

Modified: 2026-05-28T18:16:32.177

Link: CVE-2026-40034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T20:15:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')