CVE-2026-52726
Summary
dulwich.porcelain.submodule_update, and by extension porcelain.clone(..., recurse_submodules=True), materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious .gitmodules plus a matching tree gitlink whose path is .git/hooks (or any other directory inside the parent repository's .git directory) causes the attacker's submodule tree contents to be written directly into the victim's .git/hooks/ directory, preserving executable mode bits. The dropped executables are then run by any subsequent git or dulwich command that invokes the matching hook, resulting in arbitrary code execution.
This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain.
Affected
- Package: dulwich (PyPI)
- Affected versions: >=0.23.2, <1.2.5
- Affected platforms: all (Linux, macOS, Windows). Exploitation does not require a case-insensitive or NTFS filesystem, because the path written is a literal .git/hooks rather than a case- or short-name-aliased form.
Affected entry points:
- dulwich.porcelain.submodule_update(repo, init=True, recursive=True)
- dulwich.porcelain.clone(source, target, recurse_submodules=True)
- dulwich submodule update CLI / dulwich clone --recurse-submodules CLI
Vulnerable code
The submodule path from the tree's gitlink entry (and matching .gitmodules) is consumed without validation in dulwich/porcelain/submodule.py.
The attacker-controlled path enters the loop from iter_cached_submodules (submodule.py#L154-L168):
for path, target_sha in submodules_to_update:
⚡ Watch CVE-2026-52726
Get an email if CVE-2026-52726 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.45% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 36% of all EPSS-scored CVEs.
Advisory coverage (1)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-52726)