CVE-2026-41506 Overview
CVE-2026-41506 is a credential exposure vulnerability in go-git, an extensible Git implementation library written in pure Go. The library leaks HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. An attacker controlling or influencing a redirect target can capture credentials that should only be sent to the original host. The flaw is categorized as Insecure Credential Storage and Transmission [CWE-522] and affects versions prior to 5.18.0 and 6.0.0-alpha.2.
Critical Impact
HTTP authentication credentials, including tokens and passwords, can be transmitted to attacker-controlled hosts during redirected smart-HTTP Git operations, enabling repository compromise and lateral movement.
Affected Products
- go-git versions prior to 5.18.0
- go-git version 6.0.0-alpha1
- Applications and tools embedding vulnerable go-git releases for clone or fetch operations
Discovery Timeline
- 2026-05-08 - CVE-2026-41506 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41506
Vulnerability Analysis
The go-git library implements Git's smart-HTTP transport for remote operations such as clone and fetch. When the HTTP client receives a redirect response, it follows the new Location without stripping authentication material attached to the original request. As a result, credentials supplied for the initial host are forwarded to the redirect destination.
This behavior breaks the standard same-origin protection expected from HTTP clients handling sensitive headers. An adversary who controls a redirect endpoint, compromises an upstream Git proxy, or performs a network-position attack can harvest Authorization headers and basic-auth credentials. The leak occurs silently within the transport layer, so calling applications receive no indication that secrets left the intended trust boundary.
Root Cause
The root cause is improper handling of credential propagation in the HTTP redirect chain within go-git's smart-HTTP transport. The client retains and replays authentication headers across hosts instead of clearing them when the redirect target differs from the original authority. This violates the credential isolation guidance documented in CWE-522: Insufficiently Protected Credentials.
Attack Vector
Exploitation requires network access and user interaction in the form of a Git clone or fetch against an attacker-influenced URL. The attacker stages an HTTP endpoint that returns a redirect to a host they control. When a victim runs a go-git powered operation with embedded credentials or tokens against the staged URL, the client follows the redirect and reuses the original Authorization header against the attacker host. Captured credentials can then be replayed to access private repositories or downstream services. Refer to the GitHub Security Advisory GHSA-3xc5-wrhm-f963 for additional technical context.
Detection Methods for CVE-2026-41506
Indicators of Compromise
- Outbound HTTPS requests from build agents or developer hosts to unexpected Git hosting domains following a redirect from a known forge.
- HTTP 301, 302, 307, or 308 responses in proxy logs originating from Git smart-HTTP endpoints with Authorization headers preserved across hosts.
- Authentication events on Git hosting platforms from IP addresses that do not match developer or CI infrastructure ranges.
Detection Strategies
- Inventory all binaries and services that statically link go-git and compare embedded versions against 5.18.0 and 6.0.0-alpha.2.
- Inspect egress proxy traffic for cross-host redirect chains containing Git protocol paths such as /info/refs?service=git-upload-pack.
- Hunt for credential reuse on Git platforms by correlating personal access token usage with anomalous source IPs or user agents identifying go-git.
Monitoring Recommendations
- Alert on Git operations targeting domains outside an approved allowlist from CI/CD runners and developer endpoints.
- Rotate and monitor Git personal access tokens, deploying short-lived credentials where possible to limit replay windows.
- Enable repository-side audit logging for clone and fetch events and review for anomalous client identifiers.
How to Mitigate CVE-2026-41506
Immediate Actions Required
- Upgrade all applications using go-git to version 5.18.0 or 6.0.0-alpha.2 or later.
- Rotate any Git credentials, personal access tokens, or app passwords that may have been used with vulnerable go-git builds against untrusted or redirect-prone endpoints.
- Audit CI/CD pipelines and developer tooling for embedded go-git versions and force rebuilds against the patched releases.
Patch Information
The maintainers fixed the credential leak in go-git v5.18.0 and go-git v6.0.0-alpha.2. The patched releases prevent authentication headers from being forwarded when a redirect crosses to a different host. Full remediation details are in the GitHub Security Advisory GHSA-3xc5-wrhm-f963.
Workarounds
- Restrict outbound Git traffic to a known allowlist of trusted hosting providers to prevent redirects to attacker infrastructure.
- Use SSH-based Git transport in place of HTTPS where feasible, since SSH authentication is not affected by HTTP redirect handling.
- Replace long-lived credentials with short-lived, scope-limited tokens to reduce the impact of any captured authentication material.
# Configuration example: pin go-git to a patched release in go.mod
go get github.com/go-git/go-git/v5@v5.18.0
go mod tidy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
