CVE-2026-53632
Deferred Deferred - Pending Action

NTLM Credential Leak in launch-editor NPM Package

Vulnerability report for CVE-2026-53632, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

launch-editor allows users to open files with line numbers in editor from Node.js. Prior to 2.14.1, the launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking. This vulnerability is fixed in 2.14.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-07-13
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53632 is a vulnerability in the launch-editor NPM package that affects Windows systems. The package allows users to open files with line numbers from Node.js, but prior to version 2.14.1, it could access arbitrary paths including Windows UNC paths (network paths like \\attacker-host\share). When such a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, which causes the user's NTLMv2 password hash to be leaked to an attacker-controlled SMB server.

This leaked hash can then be used by an attacker to perform offline cracking attacks to compromise user credentials. The vulnerability can be exploited by tricking a user into accessing a malicious website that triggers the launch-editor middleware to open a UNC path controlled by the attacker. No elevated privileges or user interaction beyond accessing the link are required.

Impact Analysis

This vulnerability can lead to the compromise of user credentials through the leakage of NTLMv2 password hashes. If an attacker obtains these hashes, they can attempt offline cracking to recover the actual passwords, especially if the passwords are weak.

Credential compromise can then impact the confidentiality, integrity, and availability of systems and data that rely on those credentials. This could allow attackers to gain unauthorized access to systems, escalate privileges, or perform further attacks within a network.

Detection Guidance

This vulnerability involves the launch-editor NPM package accessing arbitrary Windows UNC paths, which causes Windows to attempt NTLM authentication and leak NTLMv2 password hashes to an attacker-controlled SMB server.

To detect this vulnerability on your network or system, monitor for unusual outbound SMB authentication attempts to unknown or suspicious remote hosts, especially those initiated by processes related to launch-editor or Node.js applications.

You can use network monitoring tools or commands to detect such activity. For example:

  • Use Windows Event Viewer to check for SMB authentication events (Event ID 4624 or 4776) that show connections to unexpected remote hosts.
  • Use network capture tools like Wireshark or tcpdump to filter SMB traffic and identify connections to suspicious UNC paths or SMB servers.
  • On Windows, use PowerShell commands such as `Get-SmbSession` to list active SMB sessions and identify any unusual remote hosts.
  • Check logs of Node.js applications or middleware using launch-editor for any attempts to open UNC paths.
Mitigation Strategies

The primary mitigation step is to update the launch-editor NPM package to version 2.14.1 or later, where this vulnerability is fixed.

If you are using related packages such as vite or vite-plus, update them to the patched versions: vite 8.0.16, 7.3.5, or 6.4.3, and vite-plus 0.1.24.

Additionally, avoid opening or processing UNC paths from untrusted sources to prevent triggering NTLM authentication to attacker-controlled SMB servers.

Consider monitoring and restricting outbound SMB traffic to untrusted networks as a temporary control.

Compliance Impact

The vulnerability in launch-editor allows an attacker to obtain a user's NTLMv2 password hash by exploiting Windows UNC path handling, potentially leading to credential compromise through offline hash cracking.

This credential compromise can impact the confidentiality and integrity of user credentials, which are critical components of compliance with standards such as GDPR and HIPAA that require protection of sensitive information and user authentication data.

If exploited, this vulnerability could lead to unauthorized access to protected systems or data, thereby violating requirements for data protection and access control mandated by these regulations.

Remediation by updating to patched versions is necessary to maintain compliance and reduce the risk of credential leakage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53632. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart