Cyber Resilience

CVE-2026-32631

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
EPSS Score 0.0009 24.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32631 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Microsoft (inferred from references). Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-32631 affects Git for Windows, the Windows port of Git, in versions prior to 2.53.0.windows.3. The vulnerability stems from a lack of protections that allow attackers to obtain a user's NTLM hash. This occurs when users clone a malicious repository or check out a malicious branch configured to access an attacker-controlled server. The issue is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 7.4 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N).

Attackers can exploit this remotely without privileges by tricking users into performing the clone or checkout action, which triggers NTLM authentication to the attacker's server by default without further interaction. Upon receiving the NTLM hash, attackers can attempt to brute-force the NTLMv2 hash—though computationally expensive—to extract the user's credentials, enabling potential lateral movement or further compromise in Windows environments.

The Git for Windows security advisory (GHSA-9j5h-h4m7-85hx) and release notes for version 2.53.0.windows.3 confirm the issue has been addressed with mitigations to prevent NTLM hash exposure during such operations. Users should update to 2.53.0.windows.3 or later to patch the vulnerability. References also highlight ongoing Microsoft efforts to deprecate NTLM in favor of stronger authentication protocols in Windows 11 version 24H2, Windows Server 2025, and beyond.

EU & UK References

Vulnerability details

Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository,…

more

or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
T1550.002 Pass the Hash Lateral Movement
Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls.
Why these techniques?

Vulnerability directly triggers NTLM authentication to attacker-controlled server via malicious repo clone/checkout (enables T1187 Forced Authentication); obtained hash can be cracked via brute-force (T1110.002) and reused for lateral movement via Pass the Hash (T1550.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13796Shared CWE-200
CVE-2025-27784Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2026-42826Shared CWE-200
CVE-2025-24232Shared CWE-200
CVE-2026-4712Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2025-25975Shared CWE-200
CVE-2025-55265Shared CWE-200
CVE-2025-27604Shared CWE-200

Affected Assets

Microsoft
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires updating Git for Windows to 2.53.0.windows.3 or later, directly preventing NTLM hash exposure during clone or checkout operations.

detect

Vulnerability monitoring and scanning identifies systems with vulnerable Git for Windows versions prior to 2.53.0.windows.3, enabling targeted remediation.

detect

Monitoring for information disclosure detects unauthorized transmission of NTLM hashes to attacker-controlled servers triggered by malicious Git repositories or branches.

References