CVE-2026-41506

Aliases:GHSA-3xc5-wrhm-f963

Advisory lineage Upstream: 0 Downstream: 7

Downstream

DEBIAN-CVE-2026-41506 OPENSUSE-SU-2026:10765-1 OPENSUSE-SU-2026:10771-1 OPENSUSE-SU-2026:10803-1 OPENSUSE-SU-2026:10830-1 RHSA-2026:17669

Analyzed

Published: 08 May 2026, 13:43

Last modified:11 May 2026, 18:50

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.4 HIGH

v3.1 (nvd)

EPSS Score

0.07% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

08 May 2026, 13:43

Published

Vulnerability first disclosed

11 May 2026, 18:50

Last Modified

Vulnerability information updated

Description

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.

CVSS Metrics

v3.1•MEDIUM•Score: 4.7CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
v3.1•HIGH•Score: 7.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 0.07%• Percentile: 23%

Techniques & Countermeasures

CWE-522•Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Affected Systems

go-git_project•go-git
< 5.18.0 | 6.0.0:alpha1
go-git•go-git
< 5.18.0 | < 6.0.0-alpha.2
github.com/go-git/go-git•v5
< 5.18.0
github.com/go-git/go-git•v6
< 6.0.0-alpha.2