CVE-2026-52726: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in jelmer dulwich
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.
AI Analysis
Technical Summary
The vulnerability in jelmer dulwich (CVE-2026-52726) is a path traversal flaw (CWE-22) in the submodule update process. Specifically, dulwich.porcelain.submodule_update and porcelain.clone with recurse_submodules=True do not validate submodule paths from a malicious upstream repository. An attacker can craft a .gitmodules file and corresponding gitlink tree entry with a path such as .git/hooks, causing malicious files to be written into the .git/hooks directory with executable permissions. These files are then executed by subsequent Git or dulwich commands that trigger the hooks, enabling arbitrary code execution. This issue parallels fixes made in upstream Git (CVE-2024-32002 and CVE-2024-32004) but was not previously fixed in dulwich. The vulnerability affects dulwich versions >=0.23.2 and <1.2.5 and is fixed in version 1.2.5.
Potential Impact
Exploitation allows an unauthenticated attacker to execute arbitrary code on the victim's system by placing malicious executables in the .git/hooks directory via a crafted upstream repository. This can lead to full compromise of the environment where dulwich is used to clone or update repositories with submodules. The CVSS 3.1 base score is 7.5 (High), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a significant impact on availability.
Mitigation Recommendations
Version 1.2.5 of dulwich contains a fix for this vulnerability and should be applied to affected systems. Since no official patch links or vendor advisories are provided, users should upgrade to dulwich 1.2.5 or later to remediate this issue. Until upgraded, avoid cloning or updating repositories with untrusted submodules using dulwich's submodule update or clone with recurse_submodules enabled.
CVE-2026-52726: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in jelmer dulwich
Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in jelmer dulwich (CVE-2026-52726) is a path traversal flaw (CWE-22) in the submodule update process. Specifically, dulwich.porcelain.submodule_update and porcelain.clone with recurse_submodules=True do not validate submodule paths from a malicious upstream repository. An attacker can craft a .gitmodules file and corresponding gitlink tree entry with a path such as .git/hooks, causing malicious files to be written into the .git/hooks directory with executable permissions. These files are then executed by subsequent Git or dulwich commands that trigger the hooks, enabling arbitrary code execution. This issue parallels fixes made in upstream Git (CVE-2024-32002 and CVE-2024-32004) but was not previously fixed in dulwich. The vulnerability affects dulwich versions >=0.23.2 and <1.2.5 and is fixed in version 1.2.5.
Potential Impact
Exploitation allows an unauthenticated attacker to execute arbitrary code on the victim's system by placing malicious executables in the .git/hooks directory via a crafted upstream repository. This can lead to full compromise of the environment where dulwich is used to clone or update repositories with submodules. The CVSS 3.1 base score is 7.5 (High), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a significant impact on availability.
Mitigation Recommendations
Version 1.2.5 of dulwich contains a fix for this vulnerability and should be applied to affected systems. Since no official patch links or vendor advisories are provided, users should upgrade to dulwich 1.2.5 or later to remediate this issue. Until upgraded, avoid cloning or updating repositories with untrusted submodules using dulwich's submodule update or clone with recurse_submodules enabled.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-08T14:00:43.571Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a29e5e631875706499a3a1b
Added to database: 6/10/2026, 10:32:06 PM
Last enriched: 6/10/2026, 10:45:27 PM
Last updated: 6/10/2026, 11:34:11 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.