Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.
Published: 2026-06-10
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in Dulwich’s porcelain.submodule_update, and by extension porcelain.clone with recurse_submodules enabled, allows an attacker to supply a crafted .gitmodules file and matching tree gitlink that points to ".git/hooks" or another directory inside the parent repository’s .git folder. The flaw causes the submodule’s content to be written directly into the victim’s .git/hooks directory with executable permissions. Subsequent Git or Dulwich commands that trigger the hook run the attacker’s code, resulting in arbitrary code execution. The vulnerability is identified as CWE‑22 and carries a CVSS score of 7.5.

Affected Systems

The software vendor Jelmer publishes Dulwich, a pure‑Python implementation of Git. Versions from 0.23.2 through 1.2.4 are affected; the issue is fixed in Dulwich 1.2.5. Any system or service using a vulnerable Dulwich library and performing a clone or submodule update that pulls from a malicious upstream repository is at risk.

Risk and Exploitability

Attackers need to provide a malicious upstream repository containing a valid .gitmodules entry and a gitlink tree object whose path is .git/hooks. The exploit occurs when a victim runs dulwich.porcelain.clone with recurse_submodules=True or calls submodule_update, which materializes the payload into the hooks directory. No elevated privileges are required to trigger the attack; the malicious code runs with the permissions of the process executing the Git command. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the high CVSS score and the ease of construction of a malicious repository suggest a non‑negligible risk of exploitation.

Generated by OpenCVE AI on June 10, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dulwich to 1.2.5 or later; the upstream patch removes the path traversal flaw.
  • If upgrading is impossible, pre‑screen repositories for .gitmodules entries that point to ".git/hooks" and deny or delete those entries before performing submodule updates.
  • Configure or disable hook execution in your environment, or set strict permissions on the .git/hooks directory to prevent execution of untrusted files.

Generated by OpenCVE AI on June 10, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.
Title Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T22:13:33.320Z

Reserved: 2026-06-08T14:00:43.571Z

Link: CVE-2026-52726

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T23:16:50.143

Modified: 2026-06-10T23:16:50.143

Link: CVE-2026-52726

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:30:44Z

Weaknesses