A massive widespread vulnerability in web server configurations has left millions of websites open to data theft and unauthorised takeover.
A new 2026 study conducted by the Mysterium VPN research team reveals that nearly 5 million web servers worldwide are publicly exposing their .git repository metadata.
The Scale of the Leak
The research scanned the internet for accessible .git folders hidden directories used by the Git version control system to track coding changes.
These folders are meant to stay on developer machines or private repositories, not on live public web servers.
The study found 4,964,815 IP addresses exposing this sensitive data.
Most concerning is that 252,733 of these servers (roughly 5%) exposed a specific file named .git/config that contained live deployment credentials.
When a .git folder is left open, it allows anyone with a web browser to download the entire history of a website’s source code.
This exposure gives attackers a “roadmap” to the organization’s infrastructure.
According to the report, the risks include:
- Source Code Theft: Hackers can reconstruct proprietary software and intellectual property.
- Credential Harvesting: The 250,000+ exposed config files often contain API keys, passwords, and access tokens.
- Supply Chain Attacks: Attackers can use stolen credentials to upload malicious code to the repository, potentially infecting all users of the software.
Global Impact
The issue is global, but the United States hosts the majority of vulnerable servers, accounting for nearly 35% (1.7 million IPs) of the findings.
Other heavily affected nations include Germany, France, India, and Singapore.
| Data point | Value |
|---|---|
IPs with publicly accessible .git metadata | 4,964,815 |
Exposed .git/config with deployment credentials | 252,733 |
Credential exposure rate (within exposed .git/config) | ~5.09% |
| Top country by exposed IPs | United States (1,722,949; ~34.70%) |
| Other highly exposed locations (IPs) | Germany 419,102; France 237,593; India 218,661; Singapore 189,900; Netherlands 165,174; Japan 164,768; Russia 147,859; UK 140,341; Hong Kong 127,223 |
The distribution largely reflects where major cloud hosting infrastructure is located rather than where the website owners operate.
The exposure typically arises from a simple oversight during deployment. Developers often copy their entire project folder, including the hidden .git directory, to the live server.
Because many web servers do not block access to hidden files (those starting with a dot) by default, the directory becomes publicly accessible.
Security experts urge administrators to take immediate action to close these gaps.
- Block Access: Configure web servers (Nginx, Apache, IIS) to deny all external requests to
.gitdirectories and other hidden files. - Clean Deployments: Ensure production build pipelines only upload necessary artifacts, excluding version control data entirely.
- Rotate Secrets: If a
.git/configfile was exposed, treat all associated API keys and passwords as compromised. Revoke and rotate them immediately.
By following basic “sanitization” practices in deployment pipelines, organizations can close this dangerous backdoor.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
