CVE-2026-45022 Overview
CVE-2026-45022 affects go-git, an extensible Git implementation library written in pure Go. Versions prior to 5.19.0 and 6.0.0-alpha.3 parse malformed Git objects differently from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git decodes them inconsistently with how canonical Git would interpret or reject the same object. The commit signing and verification logic operates over reconstructed data rather than original raw object bytes. As a result, go-git can sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This vulnerability is classified under [CWE-180] (Incorrect Behavior Order: Validate Before Canonicalize).
Critical Impact
A cryptographic signature may appear valid for a commit whose displayed or effective metadata differs from the object that was actually signed, undermining trust in signed commits.
Affected Products
- go-git versions prior to 5.19.0
- go-git versions prior to 6.0.0-alpha.3
- Applications and tooling that rely on go-git for commit signing or signature verification
Discovery Timeline
- 2026-05-27 - CVE-2026-45022 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45022
Vulnerability Analysis
The vulnerability stems from a divergence between go-git's object parser and upstream Git's canonical parser. Git commit and tag objects are plain-text structures with a header section followed by a message body. When these objects contain malformed or ambiguous headers, such as duplicated fields, unexpected whitespace, or non-canonical ordering, go-git's decoder accepts and normalizes them. Upstream Git may reject the same object or interpret the fields differently. An attacker who controls object content can craft a commit that displays one set of metadata in go-git tooling while presenting different metadata to standard Git clients.
Root Cause
The signing and verification pipeline reconstructs commit data from go-git's internal parsed representation instead of hashing the original raw object bytes. Canonical Git signature workflows operate over the exact byte stream of the object, ensuring that the signature is bound to what is stored on disk. By re-serializing parsed fields, go-git can produce a payload that differs from the original object even when no malicious change was intended. This breaks the integrity guarantee that signatures bind to specific committed bytes.
Attack Vector
An attacker with permission to push commits, submit pull requests, or otherwise introduce objects into a repository can craft a malformed commit or tag. When the object is signed or verified through go-git, the produced or accepted signature corresponds to the reconstructed payload. Downstream consumers using upstream Git see a different object, potentially with different author, committer, parent, or message fields. This enables signature confusion, audit log evasion, and supply-chain trust violations in CI/CD pipelines that rely on go-git for commit attestation.
Detection Methods for CVE-2026-45022
Indicators of Compromise
- Commits or tags whose displayed metadata differs between go-git-based tools and the canonical git command-line client.
- Signed commits where the object hash recomputed from raw bytes does not match the hash referenced by the signature payload.
- Repository objects containing duplicated headers, unusual whitespace, or non-standard field ordering in commit or tag payloads.
Detection Strategies
- Run integrity audits that re-verify commit signatures using upstream git verify-commit and compare results against go-git verification outcomes.
- Inventory all internal tools, CI/CD systems, and Git hosting services that link against go-git and identify versions in use.
- Scan repositories for objects that fail strict canonical Git parsing while being accepted by go-git.
Monitoring Recommendations
- Log and alert on signature verification discrepancies between go-git-based services and reference Git implementations.
- Track go-git library versions across the software bill of materials (SBOM) for all internal Go applications.
- Monitor commit signing services for objects whose reconstructed payload diverges from stored object bytes.
How to Mitigate CVE-2026-45022
Immediate Actions Required
- Upgrade go-git to version 5.19.0 or 6.0.0-alpha.3, which contain the official fix.
- Audit recent signed commits and tags produced by go-git-based tooling for header anomalies.
- Identify and rebuild downstream binaries and container images that embed vulnerable go-git versions.
Patch Information
The maintainers fixed the vulnerability in go-git 5.19.0 and 6.0.0-alpha.3. Both releases align object parsing with upstream Git semantics and ensure signing and verification operate on raw object bytes rather than reconstructed representations. Refer to the GitHub Security Advisory GHSA-389r-gv7p-r3rp for full remediation details.
Workarounds
- Where upgrading is not immediately possible, perform signature verification using upstream git rather than go-git.
- Restrict push and tag creation permissions to trusted identities to reduce the opportunity for malformed object injection.
- Add CI checks that reject commits and tags failing canonical Git parsing before they enter protected branches.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
