Incorrect Behavior Order: Validate Before Canonicalize

CVE-2026-45022

High

7/10

Summary

`go-git` may parse malformed Git objects in a way that differs from upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, `go-git`'s decoded representation may expose values differently from how Git itself would interpret or reject the same object. All versions prior to 5.19.0 and 6.0.0-alpha.1 prior to 6.0.0-alpha.3 are affected.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

The software validates input before it is canonicalized, which prevents the software from detecting data that becomes invalid after the canonicalization step.

References

Advisory

Advisory Timeline

Published May 27, 2026

Incorrect Behavior Order: Validate Before Canonicalize

CVE-2026-45022

Summary

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS