CVE-2020-26233

Name: CVE-2020-26233
Creator: NVD / NIST
Published: 2020-12-08T20:15:15.447+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.3/10EPSS 5.94%

Last modified Jun 17, 2026

CVE-2020-26233 is a high-severity vulnerability rated 7.3/10 on the CVSS scale. Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, Git will first clone the top-level repository and then recursively clone all submodules by starting new Git processes from the top-level working directory. EPSS estimates a 5.94% chance of exploitation in the next 30 days.

Description

Git Credential Manager Core (GCM Core) is a secure Git credential helper built on .NET Core that runs on Windows and macOS. In Git Credential Manager Core before version 2.0.289, when recursively cloning a Git repository on Windows with submodules, Git will first clone the top-level repository and then recursively clone all submodules by starting new Git processes from the top-level working directory. If a malicious git.exe executable is present in the top-level repository then this binary will be started by Git Credential Manager Core when attempting to read configuration, and not git.exe as found on the %PATH%. This only affects GCM Core on Windows, not macOS or Linux-based distributions. GCM Core version 2.0.289 contains the fix for this vulnerability, and is available from the project's GitHub releases page. GCM Core 2.0.289 is also bundled in the latest Git for Windows release; version 2.29.2(3). As a workaround, users should avoid recursively cloning untrusted repositories with the --recurse-submodules option.

Metrics

CVSS 3.1

7.3/10

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

EPSS Probability

5.94%

92.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Microsoft	Git Credential Manager Core	< 2.0.289

References

https://blog.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/Exploit, Third Party Advisory
https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgtThird Party Advisory
https://github.com/microsoft/Git-Credential-Manager-Core/commit/61c0388e064babb3b4e60d3ec269e8a07ab3bc76Patch, Third Party Advisory
https://github.com/microsoft/Git-Credential-Manager-Core/releases/tag/v2.0.289-betaRelease Notes, Third Party Advisory
https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76Third Party Advisory
https://blog.blazeinfosec.com/attack-of-the-clones-2-git-command-client-remote-code-execution-strikes-back/Exploit, Third Party Advisory
https://git-scm.com/docs/git-clone#Documentation/git-clone.txt---recurse-submodulesltpathspecgtThird Party Advisory
https://github.com/microsoft/Git-Credential-Manager-Core/commit/61c0388e064babb3b4e60d3ec269e8a07ab3bc76Patch, Third Party Advisory
https://github.com/microsoft/Git-Credential-Manager-Core/releases/tag/v2.0.289-betaRelease Notes, Third Party Advisory
https://github.com/microsoft/Git-Credential-Manager-Core/security/advisories/GHSA-2gq7-ww4j-3m76Third Party Advisory

Timeline

Published: Dec 8, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-26233?

How severe is CVE-2020-26233?

CVE-2020-26233 has a CVSS score of 7.3/10 (HIGH severity). The EPSS model estimates a 5.94% probability of exploitation in the next 30 days.

How do I fix CVE-2020-26233?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-26233?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST