GitHub Copilot CLI Flaw CVE-2026-45033 Enables RCE via Malicious Repos

Executive Summary

GitHub has patched a critical remote code execution vulnerability in Copilot CLI, tracked as CVE-2026-45033 with a CVSS score of 9.8. The flaw allows an attacker to achieve arbitrary code execution on a developer's machine by embedding a malicious bare git repository inside a project directory. When the Copilot CLI agent performs git operations — such as reading file history or analyzing diffs — it can be tricked into executing code from the attacker-controlled bare repository. The vulnerability affects all versions prior to 1.0.43. GitHub released the fix on 2026-05-14, according to the advisory published in the GitHub Security Advisory database (GHSA-9ccr-r5hg-74gf).

Technical Analysis

Copilot CLI is a command-line interface that brings GitHub's AI-powered code completion and analysis directly to the terminal. It works by scanning the current project's git history, staged changes, and file contents to provide context-aware suggestions. The vulnerability resides in how the tool handles git repository discovery during directory traversal.

Git supports "bare" repositories — repositories without a working tree that store only git metadata (objects, refs, HEAD). Git's automatic bare repository discovery means that if a directory contains a subdirectory named .git with a HEAD file and an objects subdirectory, git treats it as a valid repository. An attacker can craft a malicious bare repository that, when placed inside a project the user opens with Copilot CLI, causes the agent to execute arbitrary commands during routine git operations.

The advisory from GitHub states: "a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations." The exact mechanism involves the agent invoking git commands on the repository without sanitizing the path or validating the repository's origin. By exploiting git's automatic bare repository discovery during directory traversal, the attacker-supplied repository can execute hooks or manipulate refs in ways that lead to code execution in the context of the user running Copilot CLI.

GitHub has assigned the issue a CVSS 9.8 rating, indicating the vulnerability requires no authentication, no user interaction beyond opening the project, and has high impact on confidentiality, integrity, and availability. The attack vector is network-based — an attacker could deliver the malicious repository via a cloned project from a public registry, a compromised dependency, or a pull request that introduces the bare repository into a shared codebase.

No public proof-of-concept exploit has been released as of this writing. However, the technical details in the advisory are sufficient for a skilled attacker to reproduce the issue. The vulnerability is particularly dangerous in CI/CD environments where Copilot CLI might be used to analyze repositories automatically.

Mitigations & Recommendations

Defenders and developers should update GitHub Copilot CLI to version 1.0.43 or later immediately. The update is available via npm (npm update -g @githubnext/github-copilot-cli), Homebrew (brew upgrade github-copilot-cli), or direct download from GitHub's releases page.

Organizations using Copilot CLI in shared development environments or CI pipelines should verify the installed version across all nodes. Given the attack vector — a malicious bare repository delivered through a cloned project — teams should also review their dependency management practices. Scanning for unexpected .git directories or bare repository structures in third-party code could provide defense in depth, though this is not a substitute for patching.

GitHub has not reported any in-the-wild exploitation of CVE-2026-45033 as of the advisory date. The company credits an external researcher for the discovery but has not disclosed the researcher's identity.