Fluid Attacks Database

Description

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/go-git/go-git/v5	>=0 <5.18.0	5.18.0
go	github.com/go-git/go-git/v6	>=0 <6.0.0-alpha.2	6.0.0-alpha.2
debian 12	golang-github-go-git-go-git	=5.11.0-1 \|\| =5.11.0-2 \|\| =5.11.0-3 \|\| =5.11.0-4 \|\| =5.12.0-1 \|\| =5.13.2-1 \|\| =5.14.0-1 \|\| =5.16.2-1 \|\| =5.17.0-1 \|\| =5.17.1-1 \|\| =5.19.1-1 \|\| =5.4.2-3 \|\| =5.4.2-4	-
debian 13	golang-github-go-git-go-git	=5.14.0-1 \|\| =5.16.2-1 \|\| =5.17.0-1 \|\| =5.17.1-1 \|\| =5.19.1-1	-
debian 14	golang-github-go-git-go-git	=5.14.0-1 \|\| =5.16.2-1 \|\| =5.17.0-1 \|\| =5.17.1-1 \|\| >=0 <5.19.1-1	5.19.1-1
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-
debian 14	golang-github-go-git-go-git-v6	=6.0.0~alpha.4-1 \|\| =6.0.0~alpha4-1 \|\| =6.0.0~alpha4-2 \|\| =6~git20260305.2083cf94-1 \|\| =6~git20260305.2083cf94-2 \|\| =6~git20260305.2083cf94-3	-

Aliases

1. CVE-2026-415062. NVD-2026-415063. OSV-2026-415064. OSV-DEBIAN-2026-415065. GHSA-3xc5-wrhm-f9636. GCVE-2026-415067. SECURITY-TRACKER-CVE-2026-41506

References

1. https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f9632. https://github.com/go-git/go-git/releases/tag/v5.18.03. https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2