Vulnerability-Lookup

CVE-2026-45033 (GCVE-0-2026-45033)

Vulnerability from cvelistv5 – Published: 2026-05-13 15:45 – Updated: 2026-05-13 18:38

Title

GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor

Summary

GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.

Severity ?

8.5 (High)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-696 - Incorrect Behavior Order

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/github/copilot-cli/security/ad…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
github	copilot-cli	Affected: < 1.0.43

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-45033",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T18:38:29.088756Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T18:38:57.370Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "copilot-cli",
          "vendor": "github",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.0.43"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a  security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git\u0027s automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git\u0027s core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-696",
              "description": "CWE-696: Incorrect Behavior Order",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T15:45:26.751Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf"
        }
      ],
      "source": {
        "advisory": "GHSA-9ccr-r5hg-74gf",
        "discovery": "UNKNOWN"
      },
      "title": "GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-45033",
    "datePublished": "2026-05-13T15:45:26.751Z",
    "dateReserved": "2026-05-08T16:58:28.897Z",
    "dateUpdated": "2026-05-13T18:38:57.370Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45033",
      "date": "2026-05-17",
      "epss": "0.00029",
      "percentile": "0.0842"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45033\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-13T16:17:00.313\",\"lastModified\":\"2026-05-13T19:17:29.767\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a  security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git\u0027s automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git\u0027s core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-696\"}]}],\"references\":[{\"url\":\"https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}"
  }
}

GHSA-9CCR-R5HG-74GF

Vulnerability from github – Published: 2026-05-11 16:16 – Updated: 2026-05-14 20:38

Summary

GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor

Details

Summary

A security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval.

Details

Git supports bare repositories — repositories without a working tree — which can be discovered automatically when git traverses the directory hierarchy looking for a .git directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.

The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse.

Attack Scenario

An attacker can exploit this by:

Creating a bare git repository nested inside a seemingly normal project directory (e.g., vendor/malicious.git/ or a deeply nested subdirectory)
Configuring core.fsmonitor (or similar keys) in that bare repository to execute a malicious command
When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker's command

This can occur when: - The agent navigates into a subdirectory containing the buried bare repo - The agent runs git status, git diff, or other routine git commands - The agent uses tools like grep or glob that may trigger git operations in subdirectories

Prior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.

Impact

An attacker who can place a malicious bare repository inside a project — for example, through: - A pull request adding a directory that contains a bare repository - A compromised or malicious dependency that includes a bare repository - A cloned repository that already contains nested bare repositories

— could achieve arbitrary code execution on the user's workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.

Successful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.

Affected Versions

GitHub Copilot CLI versions prior to 1.0.42

Remediation and Mitigation

Fix

The fix sets safe.bareRepository=explicit via git's GIT_CONFIG_COUNT / GIT_CONFIG_KEY_* / GIT_CONFIG_VALUE_* environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal — only explicitly allowlisted bare repositories will be used.

User Actions

Upgrade GitHub Copilot CLI to 1.0.43 or later.
Exercise caution when working in repositories that contain nested bare git repositories.
Review project directories for unexpected bare repositories, especially in vendor/, third_party/, or deeply nested subdirectories.

Severity ?

8.5 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.42"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@github/copilot"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.43"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T16:16:06Z",
    "nvd_published_at": "2026-05-13T16:17:00Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git\u0027s automatic bare repository discovery during directory traversal, an attacker can set `core.fsmonitor` or other executable config keys to run arbitrary commands without user awareness or approval.\n\n## Details\n\nGit supports bare repositories \u2014 repositories without a working tree \u2014 which can be discovered automatically when git traverses the directory hierarchy looking for a `.git` directory. When git discovers a bare repository, it reads and applies its configuration, including keys that specify external commands to execute.\n\nThe vulnerability arises because git\u0027s `core.fsmonitor` config key (and 15+ similar keys such as `core.hookspath`, `diff.external`, `merge.tool`, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like `status`, `diff`, or `rev-parse`.\n\n### Attack Scenario\n\nAn attacker can exploit this by:\n\n1. Creating a bare git repository nested inside a seemingly normal project directory (e.g., `vendor/malicious.git/` or a deeply nested subdirectory)\n2. Configuring `core.fsmonitor` (or similar keys) in that bare repository to execute a malicious command\n3. When GitHub Copilot CLI performs any git operation that traverses into or through that directory, git auto-discovers the bare repository, reads its config, and executes the attacker\u0027s command\n\nThis can occur when:\n- The agent navigates into a subdirectory containing the buried bare repo\n- The agent runs `git status`, `git diff`, or other routine git commands\n- The agent uses tools like `grep` or `glob` that may trigger git operations in subdirectories\n\nPrior to the fix, the CLI had no protection against git auto-discovering bare repositories during directory traversal.\n\n## Impact\n\nAn attacker who can place a malicious bare repository inside a project \u2014 for example, through:\n- A pull request adding a directory that contains a bare repository\n- A compromised or malicious dependency that includes a bare repository\n- A cloned repository that already contains nested bare repositories\n\n\u2014 could achieve arbitrary code execution on the user\u0027s workstation whenever GitHub Copilot CLI performs git operations in or near the malicious directory.\n\nSuccessful exploitation could lead to data exfiltration, credential theft, file modification, or further system compromise.\n\n## Affected Versions\n\n- GitHub Copilot CLI versions prior to 1.0.42\n\n## Remediation and Mitigation\n\n### Fix\n\nThe fix sets `safe.bareRepository=explicit` via git\u0027s `GIT_CONFIG_COUNT` / `GIT_CONFIG_KEY_*` / `GIT_CONFIG_VALUE_*` environment variable mechanism, which has the highest precedence over all config file sources. This prevents git from automatically discovering and using bare repositories during directory traversal \u2014 only explicitly allowlisted bare repositories will be used.\n\n### User Actions\n\n1. **Upgrade** GitHub Copilot CLI to **1.0.43** or later.\n2. **Exercise caution** when working in repositories that contain nested bare git repositories.\n3. **Review** project directories for unexpected bare repositories, especially in `vendor/`, `third_party/`, or deeply nested subdirectories.",
  "id": "GHSA-9ccr-r5hg-74gf",
  "modified": "2026-05-14T20:38:48Z",
  "published": "2026-05-11T16:16:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45033"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/github/copilot-cli"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor"
}

FKIE_CVE-2026-45033

Vulnerability from fkie_nvd - Published: 2026-05-13 16:17 - Updated: 2026-05-13 19:17

Severity ?

8.5 (High) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a  security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git\u0027s automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git\u0027s core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43."
    }
  ],
  "id": "CVE-2026-45033",
  "lastModified": "2026-05-13T19:17:29.767",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-13T16:17:00.313",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/github/copilot-cli/security/advisories/GHSA-9ccr-r5hg-74gf"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-696"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-45033 (GCVE-0-2026-45033)

GHSA-9CCR-R5HG-74GF

Summary

Details

Attack Scenario

Impact

Affected Versions

Remediation and Mitigation

Fix

User Actions

FKIE_CVE-2026-45033

Tags

Sightings

Nomenclature