NTLM Authentication Vulnerability in go-ntlmssp Package by Azure
CVE-2026-32952

5.3MEDIUM

Key Information:

Vendor: Azure
Status: Go-ntlmssp
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-32952?

The go-ntlmssp package, which implements NTLM/Negotiate authentication over HTTP, contains a vulnerability that can lead to a slice out of bounds panic. This vulnerability arises from the processing of a malicious NTLM challenge message. As a result, any Go application utilizing the ntlmssp.Negotiator as an HTTP transport could experience crashes, causing potential disruptions. The issue has been addressed in version 0.1.1 of the package, which includes necessary patches to mitigate this risk.

Affected Version(s)

go-ntlmssp < 0.1.1

References

https://github.com/Azure/go-ntlmssp/security/advisories/G...

x_refsource_CONFIRM

https://github.com/Azure/go-ntlmssp/releases/tag/v0.1.1

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-32952 Data

JSON