CVE-2026-53632: launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

June 15, 2026

The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.

References

github.com/advisories/GHSA-v6wh-96g9-6wx3
github.com/vitejs/launch-editor/security/advisories/GHSA-v6wh-96g9-6wx3
nvd.nist.gov/vuln/detail/CVE-2026-53632

Code Behaviors & Features

Detect and mitigate CVE-2026-53632 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →