CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-52726

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-02
Summary dulwich.porcelain.submodule_update, and by extension porcelain.clone(..., recurse_submodules=True), materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious .gitmodules plus a matching tree gitlink whose path is .git/hooks (or any other directory inside the parent repository's .git directory) causes the attacker's submodule tree contents to be written directly into the victim's .git/hooks/ directory, preserving executable mode bits. The dropped executables are then run by any subsequent git or dulwich command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Affected - Package: dulwich (PyPI) - Affected versions: >=0.23.2, <1.2.5 - Affected platforms: all (Linux, macOS, Windows). Exploitation does not require a case-insensitive or NTFS filesystem, because the path written is a literal .git/hooks rather than a case- or short-name-aliased form. Affected entry points: - dulwich.porcelain.submodule_update(repo, init=True, recursive=True) - dulwich.porcelain.clone(source, target, recurse_submodules=True) - dulwich submodule update CLI / dulwich clone --recurse-submodules CLI Vulnerable code The submodule path from the tree's gitlink entry (and matching .gitmodules) is consumed without validation in dulwich/porcelain/submodule.py. The attacker-controlled path enters the loop from iter_cached_submodules (submodule.py#L154-L168): for path, target_sha in submodules_to_update:

⚡ Watch CVE-2026-52726

Get an email if CVE-2026-52726 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-52726

CVE.org record

Embed the live status

CVE-2026-52726 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-52726 status](https://www.csirts.com/badge/CVE-2026-52726)](https://www.csirts.com/cve/CVE-2026-52726)