CVE-2026-41506

ADVISORY - github

Summary

Impact

go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial /info/refs request with a redirect to a different host, go-git updates the session endpoint to the redirected location and reuses the original authentication for subsequent requests. This can result in the credentials (e.g. Authorization headers) being sent to an unintended host.

An attacker controlling or influencing the redirect target can capture these credentials and potentially reuse them to access the victim’s repositories or other resources, depending on the scope of the credential.

Clients using go-git exclusively with trusted remotes (for example, GitHub or GitLab), and over a secure HTTPS connection, are not affected by this issue. The risk arises when interacting with untrusted or misconfigured Git servers, or when using unsecured HTTP connections, which is not recommended. Such configurations also expose clients to a broader class of security risks beyond this issue, including credential interception and tampering of repository data.

Patches

Users should upgrade to v5.18.0, or v6.0.0-alpha.2, in order to mitigate this vulnerability. Versions prior to v5 are likely to be affected, users are recommended to upgrade to a supported go-git version.

The patched versions add support for configuring followRedirects. In line with upstream behaviour, the default is now initial, while users can opt into FollowRedirects or NoFollowRedirects programmatically.

Credit

Thanks to the 3 separate reports from @celinke97, @N0zoM1z0 and @AyushParkara. Thanks for finding and reporting this issue privately to the go-git project. :bow:

EPSS Score⁠: 0.00057 (0.182)

Common Weakness Enumeration (CWE)

ADVISORY - nist

NIST

CREATED

25 days ago

UPDATED

21 days ago

ADVISORY IDCVE-2026-41506⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-522⁠

CVSS SCORE

4.7medium

GitHub

CREATED

2 months ago

UPDATED

21 days ago

ADVISORY IDGHSA-3xc5-wrhm-f963⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-522⁠

CVSS SCORE

4.7medium

Debian

CREATED

24 days ago

UPDATED

2 days ago

ADVISORY IDCVE-2026-41506⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

22 days ago

UPDATED

19 days ago

ADVISORY IDCVE-2026-41506⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.4medium

Chainguard

CREATED

10 days ago

UPDATED

10 days ago

ADVISORY ID

CGA-fwfh-x7w7-2jp6

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY ID

MINI-2vwc-q2vh-77h6

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-3pcq-xh3r-4f7w

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

12 days ago

UPDATED

12 days ago

ADVISORY ID

MINI-3wgj-vfq5-2m2h

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-4cch-xw7f-vqjm

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

1 month ago

UPDATED

1 month ago

ADVISORY ID

MINI-4hg8-4m5w-j972

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-55wg-q942-vqv9

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-5j34-cjgg-fq98

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY ID

MINI-5q57-28fg-7mr7

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

1 month ago

UPDATED

1 month ago

ADVISORY ID

MINI-63qv-6pgp-vcmr

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-66ff-5hcw-qvgc

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

30 days ago

UPDATED

30 days ago

ADVISORY ID

MINI-7552-65q4-fgrg

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY ID

MINI-76pm-87p4-4p7g

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY ID

MINI-787f-58cw-8482

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-7v3q-m42m-xgpp

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-893w-7v3p-922v

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-92gh-c7gx-wjrv

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

1 month ago

UPDATED

1 month ago

ADVISORY ID

MINI-98wj-cpjj-568f

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-9c5j-5w47-5whx

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

12 days ago

UPDATED

12 days ago

ADVISORY ID

MINI-c34j-ghrg-9qcq

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-ffmv-349v-phqq

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY ID

MINI-fq5p-5g3f-9crj

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

1 month ago

UPDATED

1 month ago

ADVISORY ID

MINI-fqrg-ggm9-3vr4

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY ID

MINI-g2p9-xvfm-m6jq

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

29 days ago

UPDATED

29 days ago

ADVISORY ID

MINI-gc58-68m7-p4q8

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

29 days ago

UPDATED

29 days ago

ADVISORY ID

MINI-grxm-27cw-f592

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

2 days ago

UPDATED

2 days ago

ADVISORY ID

MINI-j522-q6rr-43f8

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-jwx6-8769-gg3w

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

20 days ago

UPDATED

20 days ago

ADVISORY ID

MINI-mvgr-2322-5hg4

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

20 days ago

UPDATED

20 days ago

ADVISORY ID

MINI-p39w-8vr6-fhxx

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-ph45-3wqh-5mg9

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-phjx-r5rw-5cr7

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

1 month ago

UPDATED

1 month ago

ADVISORY ID

MINI-qgmp-wj46-3v6j

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

1 month ago

UPDATED

1 month ago

ADVISORY ID

MINI-qmqq-4mrg-3m63

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

20 days ago

UPDATED

20 days ago

ADVISORY ID

MINI-qwcr-8cw5-98w8

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-r4m2-6xmx-fpxv

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY ID

MINI-rjj2-mgg9-55qh

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

30 days ago

UPDATED

30 days ago

ADVISORY ID

MINI-vf75-3r4q-ppfw

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

6 days ago

UPDATED

6 days ago

ADVISORY ID

MINI-vrcc-67qj-6pp4

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

1 month ago

UPDATED

1 month ago

ADVISORY ID

MINI-w395-3hgw-pmjc

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-wcgf-34pv-7h44

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-wh2v-p9mw-47jr

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-wrpj-8mgr-q8w3

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

16 days ago

UPDATED

16 days ago

ADVISORY ID

MINI-x9vh-p7f7-v5cq

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

1 month ago

UPDATED

1 month ago

ADVISORY ID

MINI-xgw7-fcq2-5gcg

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

15 days ago

UPDATED

15 days ago

ADVISORY ID

MINI-xxj3-rjrx-7j54

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

CVE-2026-41506

Summary

Impact

Patches

Credit

Common Weakness Enumeration (CWE)

CWE-522⁠

CWE-522⁠

Advisories

NIST

CVSS SCORE

GitHub

CVSS SCORE

Debian

Ubuntu

CVSS SCORE

Chainguard

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos

minimos