CVE-2026-6951: Critical Vulnerability in simple-git

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

This vulnerability has a CVSS score of 9.2, indicating a critical severity level. The risk to organizations includes potential unauthorized access and control over affected systems. Given the nature of the vulnerability, it is critical for organizations to prioritize patching immediately.

Currently, there is no known exploit confirmed in the wild, but the exploitability of this vulnerability is assessed as critical. Organizations should remain vigilant and ensure that any untrusted input is not allowed to reach the vulnerable components.

Given its critical nature, organizations using versions of simple-git prior to 3.36.0 should take immediate action to remediate this vulnerability.

Vulnerability Details

The vulnerability is categorized under CWE-94: Code Injection. The affected product is simple-git, and the vulnerability was published on April 25, 2026. The CVSS vector string is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H.

Technical Analysis

The root cause of this vulnerability lies in the way simple-git processes input arguments. By not adequately handling the --config option, attackers can manipulate input to execute arbitrary code. The attack vector is network-based, and the attack complexity is low, which means that an attacker can exploit this vulnerability with minimal effort.

No privileges are required for exploitation, nor is user interaction necessary. The vulnerability impacts confidentiality, integrity, and availability, with a high impact in all three areas.

Risk & Impact Analysis

Organizations utilizing simple-git must recognize the real-world risks associated with this vulnerability. The risk extends to unauthorized access and the potential for significant operational disruptions due to remote code execution. The blast radius can be extensive, affecting any system relying on the vulnerable version of simple-git.

Given the critical CVSS score and the potential for exploitation, organizations should address this vulnerability as part of their immediate patching cycle.

Exploitation Status

Affected Versions

All versions prior to simple-git 3.36.0 are affected by this vulnerability.

Mitigation & Remediation

To mitigate this vulnerability, organizations should upgrade to simple-git version 3.36.0 or later. If immediate patching is not feasible, consider applying configuration hardening to restrict untrusted input from reaching the options argument. Implement network controls to limit exposure and monitor logs for any unusual activity.

For further insights on security testing, organizations can explore penetration testing methodologies.

Detection Guidance

Organizations should monitor for log indicators related to unexpected behavior from simple-git, including any attempts to use the -c or --config options with untrusted input. Look for network signatures that indicate exploitation attempts, and track any system changes that occur following such attempts.

AppSecure Threat Intelligence Insight

The significance of CVE-2026-6951 highlights the need for ongoing vigilance in software dependencies. This incident emphasizes the importance of regular updates and proactive vulnerability management. Security teams should learn from this vulnerability and strengthen their defensive posture through comprehensive risk assessments and timely patching.

Organizations can enhance their strategies by reviewing best practices in penetration testing methodology and adopting a holistic approach to application security by considering vulnerability management programs that encompass not just patching but also threat modeling and risk assessment.

Lastly, organizations should be aware of emerging threats and adapt their defenses accordingly, ensuring they are prepared for vulnerabilities that may arise in the future through comprehensive assessments like API penetration testing and regular red teaming exercises.