## GitPython CVE-2026-44244: Newline Injection Flaw Enables Remote Code Execution via Hooks Path
A critical newline injection vulnerability has been identified in GitPython, a widely used Python library for Git interaction. The flaw, tracked as CVE-2026-44244 and catalogued as GHSA-v87r-6q3f-2j67, exists within the config_writer().set_value() function and could allow remote code execution through manipulation of the core.hooksPath configuration parameter.

The vulnerability stems from GitConfigParser.set_value() passing values to Python's configparser module without performing validation checks for newline characters. During the configuration writing process, GitPython's internal _write() method converts embedded newlines into indented continuation lines, which can be exploited to inject arbitrary configuration directives. An attacker who controls the value passed to set_value() could craft malicious input containing newline sequences that, when processed, inject unintended settings into the Git configuration file—ultimately enabling execution of arbitrary code through the hooksPath mechanism.

Affected versions span from the library's early releases through version 3.1.48. The issue has been addressed in version 3.1.49, and organizations leveraging GitPython in automation pipelines, CI/CD systems, or any application that processes untrusted Git configuration data should immediately verify their deployment status and apply the patched release. Given the library's prevalence in developer tooling and DevOps infrastructure, the potential blast radius of this vulnerability extends across numerous environments where Git operations are automated.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-44244, RCE, newline injection, GitPython, security vulnerability
- **Credibility**: unverified
- **Published**: 2026-05-07 01:31:38
- **ID**: 79966
- **URL**: https://whisperx.ai/en/intel/79966