CVE-2026-45033

Source
https://cve.org/CVERecord?id=CVE-2026-45033
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45033.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45033
Aliases
Related
Published
2026-05-13T15:45:26.751Z
Modified
2026-07-08T08:13:30.048483522Z
Severity
  • 8.5 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor
Details

GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45033.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-696"
    ]
}
References

Affected packages

Git / github.com/github/copilot-cli

Affected ranges

Type
GIT
Repo
https://github.com/github/copilot-cli
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:github:copilot-cli:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.43"
        }
    ]
}

Affected versions

v0.*
v0.0.328
v0.0.329
v0.0.330
v0.0.331
v0.0.332
v0.0.333
v0.0.334
v0.0.335
v0.0.336
v0.0.337
v0.0.338
v0.0.339
v0.0.340
v0.0.341
v0.0.342
v0.0.343
v0.0.344
v0.0.345
v0.0.346
v0.0.347
v0.0.348
v0.0.349
v0.0.350
v0.0.351
v0.0.352
v0.0.353
v0.0.354
v0.0.355
v0.0.355-37
v0.0.356
v0.0.356-0
v0.0.357
v0.0.357-0
v0.0.358
v0.0.358-0
v0.0.358-1
v0.0.359
v0.0.359-0
v0.0.360
v0.0.361
v0.0.361-0
v0.0.362
v0.0.362-0
v0.0.362-1
v0.0.363
v0.0.363-0
v0.0.363-1
v0.0.363-2
v0.0.364
v0.0.364-0
v0.0.365
v0.0.366
v0.0.366-0
v0.0.366-1
v0.0.366-2
v0.0.366-3
v0.0.366-5
v0.0.366-6
v0.0.366-7
v0.0.366-8
v0.0.366-9
v0.0.367
v0.0.367-0
v0.0.368
v0.0.368-0
v0.0.368-1
v0.0.368-2
v0.0.368-3
v0.0.368-4
v0.0.369
v0.0.369-0
v0.0.370
v0.0.370-0
v0.0.370-1
v0.0.370-5
v0.0.370-6
v0.0.370-7
v0.0.371
v0.0.371-0
v0.0.372
v0.0.373
v0.0.373-2
v0.0.373-3
v0.0.374
v0.0.375
v0.0.375-0
v0.0.375-1
v0.0.375-2
v0.0.376
v0.0.377
v0.0.378-0
v0.0.378-1
v0.0.378-2
v0.0.380
v0.0.381
v0.0.382
v0.0.382-0
v0.0.384
v0.0.385
v0.0.386
v0.0.387
v0.0.388
v0.0.388-0
v0.0.388-1
v0.0.389
v0.0.389-0
v0.0.389-1
v0.0.390
v0.0.392
v0.0.393
v0.0.394
v0.0.395
v0.0.396
v0.0.396-0
v0.0.397
v0.0.398
v0.0.399
v0.0.399-0
v0.0.400
v0.0.400-0
v0.0.401
v0.0.401-0
v0.0.401-1
v0.0.402
v0.0.402-0
v0.0.403
v0.0.404
v0.0.404-0
v0.0.405
v0.0.406
v0.0.406-0
v0.0.406-1
v0.0.407
v0.0.407-0
v0.0.407-1
v0.0.408
v0.0.409
v0.0.410
v0.0.410-0
v0.0.410-1
v0.0.411
v0.0.411-0
v0.0.411-1
v0.0.412
v0.0.412-0
v0.0.412-1
v0.0.412-2
v0.0.413
v0.0.413-0
v0.0.414
v0.0.415
v0.0.415-0
v0.0.415-1
v0.0.416
v0.0.417
v0.0.418
v0.0.418-0
v0.0.419
v0.0.419-0
v0.0.419-1
v0.0.420
v0.0.420-0
v0.0.421
v0.0.421-0
v0.0.421-1
v0.0.421-2
v0.0.422
v0.0.422-0
v0.0.422-1
v0.0.423
v1.*
v1.0.10
v1.0.10-0
v1.0.10-1
v1.0.11
v1.0.11-0
v1.0.11-1
v1.0.12
v1.0.12-0
v1.0.12-1
v1.0.12-2
v1.0.13
v1.0.13-0
v1.0.13-1
v1.0.13-2
v1.0.14
v1.0.14-0
v1.0.15
v1.0.15-0
v1.0.15-1
v1.0.15-2
v1.0.16
v1.0.16-0
v1.0.16-1
v1.0.17
v1.0.18
v1.0.19
v1.0.19-0
v1.0.2
v1.0.20
v1.0.20-0
v1.0.20-1
v1.0.21
v1.0.22
v1.0.22-0
v1.0.23
v1.0.24
v1.0.24-0
v1.0.25
v1.0.26
v1.0.26-0
v1.0.27
v1.0.28
v1.0.29
v1.0.3
v1.0.3-0
v1.0.3-1
v1.0.3-2
v1.0.30
v1.0.31
v1.0.32
v1.0.32-0
v1.0.32-1
v1.0.33
v1.0.33-0
v1.0.34
v1.0.34-0
v1.0.35
v1.0.35-0
v1.0.35-1
v1.0.35-2
v1.0.35-3
v1.0.35-4
v1.0.35-5
v1.0.35-6
v1.0.36
v1.0.36-0
v1.0.36-1
v1.0.37
v1.0.39
v1.0.39-0
v1.0.4
v1.0.4-0
v1.0.4-1
v1.0.4-2
v1.0.4-3
v1.0.40
v1.0.40-0
v1.0.40-1
v1.0.40-2
v1.0.40-3
v1.0.41
v1.0.41-0
v1.0.41-1
v1.0.42
v1.0.42-0
v1.0.5
v1.0.5-0
v1.0.6
v1.0.6-0
v1.0.6-1
v1.0.6-2
v1.0.7
v1.0.7-0
v1.0.8
v1.0.8-0
v1.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45033.json"