CVE-2026-32631 Overview
CVE-2026-32631 is a high-severity information disclosure vulnerability affecting Git for Windows versions prior to 2.53.0.windows.3. The vulnerability allows attackers to obtain a user's NTLM hash by tricking them into cloning a malicious repository or checking out a malicious branch that accesses an attacker-controlled server. By default, NTLM authentication does not require any user interaction, making this attack particularly dangerous. Once obtained, the NTLMv2 hash can be brute-forced to extract user credentials, enabling further compromise of user accounts and systems.
Critical Impact
Attackers can steal NTLM authentication hashes from Windows users, potentially leading to credential theft and unauthorized access to corporate resources without user interaction.
Affected Products
- Git for Windows versions prior to 2.53.0.windows.3
Discovery Timeline
- April 15, 2026 - CVE-2026-32631 published to NVD
- April 15, 2026 - Last updated in NVD database
Technical Details for CVE-2026-32631
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw exists in how Git for Windows handles network requests that can trigger NTLM authentication. When a user clones a repository or checks out a branch that references resources on an attacker-controlled server, Windows may automatically attempt NTLM authentication with that server, inadvertently transmitting the user's NTLM hash.
The attack leverages the Windows operating system's default behavior of automatically providing NTLM credentials when challenged by a remote server. Since NTLM authentication is initiated without user consent or awareness, victims have no opportunity to reject the authentication attempt. This makes the vulnerability particularly effective in targeted attacks where an attacker can craft a malicious repository URL or submodule reference.
Root Cause
The root cause of this vulnerability is the lack of protective measures in Git for Windows to prevent NTLM authentication requests from being sent to arbitrary remote servers. Git for Windows did not implement safeguards to block or warn users when Git operations would result in NTLM credentials being transmitted to potentially untrusted endpoints.
The Windows operating system's automatic NTLM authentication mechanism, while convenient for corporate intranet scenarios, becomes a security liability when Git operations can trigger connections to attacker-controlled servers. Microsoft has acknowledged the security concerns with NTLM and has begun deprecating the protocol in favor of more secure alternatives like Kerberos.
Attack Vector
The attack is network-based and requires user interaction in the form of performing a Git operation (clone, checkout, fetch) that references a malicious URL. An attacker can exploit this vulnerability through several methods:
- Malicious Repository: Creating a repository with submodules or Git LFS references pointing to an attacker-controlled SMB or HTTP server
- Malicious Branch: Committing changes to a branch that include references triggering NTLM authentication when checked out
- Repository Configuration: Manipulating .gitconfig or .gitmodules files to include malicious server URLs
When the victim performs the Git operation, their Windows system automatically attempts NTLM authentication with the attacker's server. The attacker captures the NTLMv2 challenge-response, which can then be subjected to offline brute-force attacks to recover the plaintext password. While brute-forcing NTLMv2 hashes is computationally expensive, it remains feasible with modern hardware, especially for weaker passwords.
Detection Methods for CVE-2026-32631
Indicators of Compromise
- Unexpected outbound SMB (TCP port 445) or HTTP connections from Git processes to external IP addresses
- NTLM authentication attempts to servers outside the corporate network or trusted domains
- Git operations involving repositories with unusual submodule URLs or external references
- Network traffic showing NTLM challenge-response exchanges to untrusted endpoints
Detection Strategies
- Monitor network traffic for outbound SMB connections originating from git.exe processes to non-corporate destinations
- Implement network segmentation rules to alert on NTLM authentication attempts to external servers
- Use endpoint detection and response (EDR) solutions to track Git operations and associated network activity
- Review Git repository configurations for suspicious submodule URLs or remote references
Monitoring Recommendations
- Enable Windows Event logging for NTLM authentication events (Event ID 4624 with Logon Type 3)
- Configure network monitoring to flag outbound connections on ports 445, 139, or HTTP ports from development workstations
- Implement DNS monitoring to detect resolution requests for suspicious or newly registered domains
- Deploy SentinelOne agents configured to monitor Git process behavior and network communications
How to Mitigate CVE-2026-32631
Immediate Actions Required
- Update Git for Windows to version 2.53.0.windows.3 or later immediately
- Audit all development workstations to identify and upgrade vulnerable Git installations
- Review recently cloned repositories and checked-out branches for suspicious URLs or references
- Consider blocking outbound SMB traffic from development workstations to external networks
Patch Information
The vulnerability has been fixed in Git for Windows version 2.53.0.windows.3. Users should upgrade to this version or later to receive the security fix. The patch implements protections that prevent NTLM hash disclosure when performing Git operations. For detailed information about the fix, refer to the Git for Windows Release Notes and the GitHub Security Advisory.
Workarounds
- Disable NTLM authentication at the Windows system level using Group Policy (Note: may impact legitimate corporate applications)
- Configure network firewalls to block outbound SMB traffic to non-corporate destinations
- Use Git's credential helper to avoid NTLM-based authentication where possible
- Consider migrating to SSH-based Git authentication to eliminate reliance on Windows authentication protocols
# Configuration example - Disable NTLM for Git operations via registry
# Run in elevated PowerShell
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
# Alternative: Block outbound SMB at Windows Firewall
New-NetFirewallRule -DisplayName "Block Outbound SMB" -Direction Outbound -LocalPort 445 -Protocol TCP -Action Block -Program "C:\Program Files\Git\mingw64\bin\git.exe"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
