CVE-2026-41506

NameCVE-2026-41506
Descriptiongo-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1136095

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-go-git-go-git (PTS)bookworm5.4.2-3vulnerable
trixie5.14.0-1vulnerable
forky5.17.1-1vulnerable
sid5.19.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-go-git-go-gitsource(unstable)5.19.1-11136095

Notes

https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
Fixed by: https://github.com/go-git/go-git/commit/bcd20a9c525826081262a06a9ed9c3167abfcd53 (v5.18.0)
Search for package or bug name: Reporting problems