CVE-2026-41506 PUBLISHED

go-git Credential leak via cross-host redirect in smart HTTP transport

Assigner: GitHub_M
Reserved: 20.04.2026 Published: 08.05.2026 Updated: 08.05.2026

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CVSS Score: 4.7

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	go-git
Product	go-git
Versions	Version < 5.18.0 is affected Version < 6.0.0-alpha.2 is affected

References

https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
https://github.com/go-git/go-git/releases/tag/v5.18.0
https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2

Problem Types

CWE-522: Insufficiently Protected Credentials CWE