CVE-2026-32631
Published: 15 April 2026
Summary
CVE-2026-32631 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Microsoft (inferred from references). Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-32631 affects Git for Windows, the Windows port of Git, in versions prior to 2.53.0.windows.3. The vulnerability stems from a lack of protections that allow attackers to obtain a user's NTLM hash. This occurs when users clone a malicious repository or check out a malicious branch configured to access an attacker-controlled server. The issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).
Attackers can exploit this remotely without privileges by tricking users into performing the clone or checkout action, which triggers NTLM authentication to the attacker's server by default without further interaction. Upon receiving the NTLM hash, attackers can attempt to brute-force the NTLMv2 hash—though computationally expensive—to extract the user's credentials, enabling potential lateral movement or further compromise in Windows environments.
The Git for Windows security advisory (GHSA-9j5h-h4m7-85hx) and release notes for version 2.53.0.windows.3 confirm the issue has been addressed with mitigations to prevent NTLM hash exposure during such operations. Users should update to 2.53.0.windows.3 or later to patch the vulnerability. References also highlight ongoing Microsoft efforts to deprecate NTLM in favor of stronger authentication protocols in Windows 11 version 24H2, Windows Server 2025, and beyond.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22991
Vulnerability details
Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository,…
more
or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly triggers NTLM authentication to attacker-controlled server via malicious repo clone/checkout (enables T1187 Forced Authentication); obtained hash can be cracked via brute-force (T1110.002) and reused for lateral movement via Pass the Hash (T1550.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation requires updating Git for Windows to 2.53.0.windows.3 or later, directly preventing NTLM hash exposure during clone or checkout operations.
Vulnerability monitoring and scanning identifies systems with vulnerable Git for Windows versions prior to 2.53.0.windows.3, enabling targeted remediation.
Monitoring for information disclosure detects unauthorized transmission of NTLM hashes to attacker-controlled servers triggered by malicious Git repositories or branches.