Arbitrary Code Injection Affecting datahub-ingestion-fips package, versions <1.5.0.1-r2


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.24% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-DATAHUBINGESTIONFIPS-16700924
  • published15 May 2026
  • disclosed7 May 2026

Introduced: 7 May 2026

CVE-2026-44244  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade Chainguard datahub-ingestion-fips to version 1.5.0.1-r2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream datahub-ingestion-fips package and not the datahub-ingestion-fips package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.

CVSS Base Scores

version 3.1