CVE-2026-32631 Overview
CVE-2026-32631 is an information disclosure vulnerability in Git for Windows, the Windows port of Git. Versions prior to 2.53.0.windows.3 lack protections against attacker-controlled servers harvesting a user's NTLM hash. An attacker can trick a user into cloning a malicious repository or checking out a malicious branch that references a remote resource hosted on an attacker-controlled server. Because NTLM authentication on Windows proceeds without user interaction by default, the client transmits an NTLMv2 response that can be captured and brute-forced offline to recover credentials. The issue is classified as Information Exposure [CWE-200].
Critical Impact
A successful attack yields a user's NTLMv2 hash, enabling offline brute-force recovery of Windows credentials and downstream lateral movement.
Affected Products
- Git for Windows versions prior to 2.53.0.windows.3
- Windows hosts performing NTLM authentication during Git operations
- Developer workstations and build agents running vulnerable Git for Windows clients
Discovery Timeline
- 2026-04-15 - CVE-2026-32631 published to NVD
- 2026-04-17 - Last updated in NVD database
Technical Details for CVE-2026-32631
Vulnerability Analysis
The flaw resides in how Git for Windows resolves remote resources during clone and checkout operations. When a repository or branch references a network path under attacker control, Windows networking stacks transparently negotiate NTLM authentication against that endpoint. The Git for Windows client does not block or sanitize these implicit authentication attempts. As a result, the operating system sends the current user's NTLMv2 response to the attacker's server without prompting the user.
An attacker operating the remote endpoint captures the NTLMv2 challenge-response pair. Offline cracking against weak or moderately complex passwords is expensive but feasible with modern GPU clusters. Recovered credentials grant the attacker the user's domain or local Windows identity, which can be relayed or reused against other services. The vulnerability requires user interaction (UI:R) in the form of cloning or checking out the malicious content.
Root Cause
The root cause is the absence of guardrails preventing Git for Windows from triggering implicit NTLM authentication to untrusted hosts. Git operations can dereference UNC paths, submodule URLs, or hook scripts that resolve over SMB or HTTP, and Windows automatically supplies NTLM credentials when challenged.
Attack Vector
The attacker hosts a crafted repository on a public Git provider or distributes a branch that, when fetched or checked out, causes the Git client to access an attacker-controlled server. The victim's machine transmits its NTLMv2 hash during the authentication handshake. No additional privileges are required, and the attack succeeds over the network.
No public proof-of-concept code has been published. The GitHub Security Advisory GHSA-9j5h-h4m7-85hx describes the exploitation pattern and the upstream fix.
Detection Methods for CVE-2026-32631
Indicators of Compromise
- Outbound SMB (TCP/445) or NTLM authentication attempts originating from developer workstations to untrusted external hosts immediately after git clone, git fetch, or git checkout operations.
- Git repository configurations or submodule URLs referencing UNC paths (\\host\share) or non-standard remote endpoints.
- Event ID 4624 or 4625 logon attempts on external hosts using domain credentials sourced from developer machines.
Detection Strategies
- Inspect process telemetry for git.exe child processes initiating connections to untrusted IP ranges over SMB or HTTP shortly after repository operations.
- Correlate Sysmon Event ID 3 (network connect) with Event ID 1 (process create) for git.exe to identify anomalous destinations.
- Hunt within .gitmodules, .git/config, and hook scripts for suspicious URLs or UNC paths in newly cloned repositories.
Monitoring Recommendations
- Alert on any outbound SMB traffic from end-user subnets to the public internet, which should be blocked at the perimeter.
- Monitor for NTLM authentication events to non-domain-joined or unrecognized servers.
- Track Git for Windows version inventory across managed endpoints and flag hosts running versions below 2.53.0.windows.3.
How to Mitigate CVE-2026-32631
Immediate Actions Required
- Upgrade all Git for Windows installations to version 2.53.0.windows.3 or later, available from the Git for Windows Release Notes.
- Block outbound TCP/445 (SMB) and TCP/139 at the network perimeter to prevent NTLM hash exfiltration to external hosts.
- Audit recently cloned repositories on developer workstations for malicious submodule URLs or hook scripts.
Patch Information
The fix is included in Git for Windows 2.53.0.windows.3. Refer to GitHub Security Advisory GHSA-9j5h-h4m7-85hx for the upstream fix details and to the Git for Windows Release Notes for installer downloads.
Workarounds
- Disable NTLM outbound authentication via Group Policy Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers, consistent with Microsoft's NTLM deprecation guidance.
- Restrict Git operations on sensitive systems to vetted repository hosts using firewall egress rules.
- Educate developers to avoid cloning or checking out untrusted repositories and branches until patching is complete.
# Verify installed Git for Windows version
git --version
# Group Policy registry equivalent: deny outbound NTLM to remote servers
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v RestrictSendingNTLMTraffic /t REG_DWORD /d 2 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
