CVE-2026-41506

Public on 2026-05-08
Modified on 2026-05-11
Description
go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.7
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-ssm-agent Pending Fix
Amazon Linux 2023 amazon-ssm-agent Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.7 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2026-41506 Mitre: CVE-2026-41506