CVE-2026-32952: go-ntlmssp NTLM challenges can panic on malformed payloads

April 23, 2026 (updated April 27, 2026)

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue.

References

github.com/Azure/go-ntlmssp
github.com/Azure/go-ntlmssp/releases/tag/v0.1.1
github.com/Azure/go-ntlmssp/security/advisories/GHSA-pjcq-xvwq-hhpj
github.com/advisories/GHSA-pjcq-xvwq-hhpj
nvd.nist.gov/vuln/detail/CVE-2026-32952

Code Behaviors & Features

Detect and mitigate CVE-2026-32952 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →