{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32631", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.559Z", "datePublished": "2026-04-15T17:26:44.154Z", "dateUpdated": "2026-04-15T18:44:04.155Z"}, "containers": {"cna": {"title": "Git for Windows: `git clone` from manipulated repositories can leak NTLM hashes to arbitrary servers", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/git-for-windows/git/security/advisories/GHSA-9j5h-h4m7-85hx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-9j5h-h4m7-85hx"}, {"name": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.3"}, {"name": "https://learn.microsoft.com/en-au/windows/whats-new/deprecated-features#:~:text=NTLM", "tags": ["x_refsource_MISC"], "url": "https://learn.microsoft.com/en-au/windows/whats-new/deprecated-features#:~:text=NTLM"}, {"name": "https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e", "tags": ["x_refsource_MISC"], "url": "https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e"}, {"name": "https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848", "tags": ["x_refsource_MISC"], "url": "https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848"}], "affected": [{"vendor": "git-for-windows", "product": "git", "versions": [{"version": "< 2.53.0.windows.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T17:26:44.154Z"}, "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3."}], "source": {"advisory": "GHSA-9j5h-h4m7-85hx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T18:43:55.597018Z", "id": "CVE-2026-32631", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:44:04.155Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32631", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T18:43:55.597018Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:43:58.924Z"}}], "cna": {"title": "Git for Windows: `git clone` from manipulated repositories can leak NTLM hashes to arbitrary servers", "source": {"advisory": "GHSA-9j5h-h4m7-85hx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "git-for-windows", "product": "git", "versions": [{"status": "affected", "version": "< 2.53.0.windows.3"}]}], "references": [{"url": "https://github.com/git-for-windows/git/security/advisories/GHSA-9j5h-h4m7-85hx", "name": "https://github.com/git-for-windows/git/security/advisories/GHSA-9j5h-h4m7-85hx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.3", "name": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.3", "tags": ["x_refsource_MISC"]}, {"url": "https://learn.microsoft.com/en-au/windows/whats-new/deprecated-features#:~:text=NTLM", "name": "https://learn.microsoft.com/en-au/windows/whats-new/deprecated-features#:~:text=NTLM", "tags": ["x_refsource_MISC"]}, {"url": "https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e", "name": "https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e", "tags": ["x_refsource_MISC"]}, {"url": "https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848", "name": "https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-15T17:26:44.154Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32631", "state": "PUBLISHED", "dateUpdated": "2026-04-15T18:44:04.155Z", "dateReserved": "2026-03-12T15:29:36.559Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-15T17:26:44.154Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3."}], "id": "CVE-2026-32631", "lastModified": "2026-04-17T15:38:09.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-15T18:17:17.437", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/git-for-windows/git/releases/tag/v2.53.0.windows.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/git-for-windows/git/security/advisories/GHSA-9j5h-h4m7-85hx"}, {"source": "security-advisories@github.com", "url": "https://learn.microsoft.com/en-au/windows/whats-new/deprecated-features#:~:text=NTLM"}, {"source": "security-advisories@github.com", "url": "https://support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2e"}, {"source": "security-advisories@github.com", "url": "https://techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.53.0.windows.3)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "git", "source": "cna", "vendor": "git-for-windows"}, "product": "git", "vendor": "gitforwindows"}], "analysis": {"en": {"generated_at": "2026-04-15T22:16:09.656389+00:00", "value": {"mitigation_remediation": ["Update Git for Windows to version 2.53.0.windows.3 or later to eliminate the hash leak", "Disable NTLM authentication in Windows or enforce stronger authentication mechanisms for Git traffic", "Verify that users do not clone from untrusted or unknown repositories and educate them about the risks of malicious Git servers"], "summary": {"action": "Immediate Patch", "impact": "NTLM Hash Disclosure"}, "threat_synthesis": {"affected_systems": "Git for Windows, product \"Git\". Users running any Git for Windows release prior to 2.53.0.windows.3 are affected. Versions 2.53.0.windows.3 and later contain the fix.", "description_and_impact": "Git for Windows versions older than 2.53.0.windows.3 allow an attacker to obtain a user\u2019s NTLM hash by tricking the user into cloning a malicious repository or checking out a malicious branch. The clone operation contacts an attacker-controlled Git server and, via default NTLM authentication, streams the user\u2019s NTLM credentials to the server without requiring any user interaction. The leaked hash can then be brute forced, enabling credential compromise. This vulnerability is an information disclosure flaw (CWE-200).", "risk_and_exploitability": "The vulnerability scores a high CVSS of 7.4. EPSS is not reported, indicating that the exploitation probability is not quantified, but the issue is not currently listed in the CISA KEV catalog. The attack vector is inferred to be remote: any actor who can host or trick a user into interacting with a malicious Git server can exploit this flaw. Exploitation requires only that the user run \"git clone\" or similar commands against the attacker-controlled endpoint. The consequences include potential credential theft and downstream compromise of any resources accessed with those credentials."}}}}, "created": "2026-04-15T21:00:09.452248+00:00", "updated": "2026-04-15T22:30:16.053875+00:00", "vendors": ["gitforwindows", "gitforwindows$PRODUCT$git"]}