CVE-2026-45033 Overview
CVE-2026-45033 is a high-severity arbitrary code execution vulnerability in GitHub Copilot CLI versions prior to 1.0.43. The flaw allows a malicious bare git repository nested inside a project directory to execute arbitrary commands when the Copilot agent performs routine git operations. Attackers exploit git's automatic bare repository discovery during directory traversal to set executable configuration keys such as core.fsmonitor, core.hookspath, diff.external, or merge.tool. These keys accept arbitrary shell commands that git runs during normal operations like status, diff, or rev-parse. GitHub fixed the vulnerability in Copilot CLI version 1.0.43.
Critical Impact
A malicious nested git repository can achieve arbitrary code execution on a developer workstation without user awareness or approval when the Copilot CLI agent interacts with the project directory.
Affected Products
- GitHub Copilot CLI versions prior to 1.0.43
- Development environments running Copilot CLI with access to untrusted project directories
- Systems where the agent performs git operations on cloned or downloaded repositories
Discovery Timeline
- 2026-05-13 - CVE-2026-45033 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45033
Vulnerability Analysis
The vulnerability stems from improper handling of git configuration discovery [CWE-696]. Git automatically discovers repositories by walking up the directory tree looking for a .git directory or a bare repository marker. When the Copilot CLI agent performs git operations inside a project, git can locate a nested bare repository and read its config file. That configuration may contain executable directives that git interprets and runs.
Git supports more than 15 configuration keys whose values are shell commands. Examples include core.fsmonitor, core.hookspath, core.pager, core.editor, diff.external, merge.tool, and gpg.program. Git executes these commands during everyday operations such as git status, git diff, and git rev-parse. The Copilot CLI invokes these commands as part of normal agent workflows, providing an automatic trigger for the attacker payload.
Root Cause
The root cause is the agent's reliance on git's permissive repository discovery without validating that discovered repositories are trusted. A bare repository placed inside a project directory is treated by git as a legitimate configuration source. The Copilot CLI does not sandbox git invocations or restrict which configuration keys are honored before running git operations.
Attack Vector
An attacker prepares a project containing a hidden bare git repository whose config file sets core.fsmonitor or a similar key to a shell command. The victim clones, downloads, or extracts the project and launches Copilot CLI in or near that directory. When the agent runs any git command, git discovers the nested bare repository, reads its configuration, and executes the attacker-supplied command under the user's privileges. No user prompt or approval is shown because the execution occurs inside git itself.
No verified exploitation code is published for this CVE. Refer to the GitHub Security Advisory for technical details and the upstream fix.
Detection Methods for CVE-2026-45033
Indicators of Compromise
- Presence of unexpected bare git repositories (directories containing HEAD, config, and objects/ without a working tree) nested inside project folders
- Git config files containing core.fsmonitor, core.hookspath, diff.external, merge.tool, or gpg.program set to shell commands or interpreter invocations
- Child processes spawned by git that are unrelated to git internals, such as bash, sh, curl, wget, or powershell
Detection Strategies
- Scan developer workstations and source directories for nested .git and bare repositories that were not created by the user
- Parse git config files in repositories and flag executable-valued keys against an allowlist
- Monitor process telemetry for git parent processes invoking shells, network utilities, or scripting engines
Monitoring Recommendations
- Alert on Copilot CLI sessions where git operations spawn unexpected interpreters or outbound network connections
- Track installations of GitHub Copilot CLI and flag versions below 1.0.43
- Audit file system events for the creation of bare repository structures inside existing project directories
How to Mitigate CVE-2026-45033
Immediate Actions Required
- Upgrade GitHub Copilot CLI to version 1.0.43 or later on all developer workstations
- Inventory existing project directories for nested bare repositories and remove any that are not expected
- Restrict use of Copilot CLI to trusted projects until the upgrade is confirmed
Patch Information
GitHub fixed CVE-2026-45033 in Copilot CLI version 1.0.43. The patch is described in the GitHub Security Advisory GHSA-9ccr-r5hg-74gf. Install the updated release through the standard distribution channel used in your environment.
Workarounds
- Avoid running Copilot CLI inside directories sourced from untrusted archives or repositories until patched
- Set GIT_CONFIG_NOSYSTEM=1 and use safe.directory allowlisting to limit which repositories git will operate on
- Run Copilot CLI inside an isolated container or sandbox so that arbitrary command execution does not affect the host
# Verify Copilot CLI version and search for suspicious nested bare repositories
copilot --version
# Locate nested bare repositories inside a project tree
find . -type f -name HEAD -exec grep -l "ref: refs/" {} \; \
| xargs -I{} dirname {}
# Inspect git configs for executable keys
grep -RInE "fsmonitor|hookspath|external|pager|editor|program|tool" \
$(find . -name config -path "*/.git/*" -o -name config -path "*/objects/.." )
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
