High severity7.4NVD Advisory· Published Apr 15, 2026· Updated Apr 17, 2026
CVE-2026-32631
CVE-2026-32631
Description
Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
16- Range: <2.53.0.windows.3
- osv-coords14 versionspkg:apk/chainguard/gitpkg:apk/chainguard/git-completionpkg:apk/chainguard/git-daemonpkg:apk/chainguard/git-docpkg:apk/chainguard/git-emailpkg:apk/chainguard/git-iamguarded-compatpkg:apk/chainguard/git-p4pkg:apk/wolfi/gitpkg:apk/wolfi/git-completionpkg:apk/wolfi/git-daemonpkg:apk/wolfi/git-docpkg:apk/wolfi/git-emailpkg:apk/wolfi/git-iamguarded-compatpkg:apk/wolfi/git-p4
< 2.54.0-r0+ 13 more
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
- (no CPE)range: < 2.54.0-r0
Patches
Vulnerability mechanics
References
5- github.com/git-for-windows/git/releases/tag/v2.53.0.windows.3nvd
- github.com/git-for-windows/git/security/advisories/GHSA-9j5h-h4m7-85hxnvd
- learn.microsoft.com/en-au/windows/whats-new/deprecated-featuresnvd
- support.microsoft.com/en-us/topic/upcoming-changes-to-ntlmv1-in-windows-11-version-24h2-and-windows-server-2025-c0554217-cdbc-420f-b47c-e02b2db49b2envd
- techcommunity.microsoft.com/blog/windows-itpro-blog/the-evolution-of-windows-authentication/3926848nvd
News mentions
1- Patch Tuesday - April 2026Rapid7 Blog · Apr 14, 2026