CVE-2026-3783

Summary

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.

If the hostname that the first request is redirected to has information in the used .netrc file, with either of the machine or default keywords, curl would pass on the bearer token set for the first host also to the second one.

Affected Software

VendorProductVersion RangeStatus
curlcurl8.18.0 <= 8.18.0affected
curlcurl8.17.0 <= 8.17.0affected
curlcurl8.16.0 <= 8.16.0affected
curlcurl8.15.0 <= 8.15.0affected
curlcurl8.14.1 <= 8.14.1affected
curlcurl8.14.0 <= 8.14.0affected
curlcurl8.13.0 <= 8.13.0affected
curlcurl8.12.1 <= 8.12.1affected
curlcurl8.12.0 <= 8.12.0affected
curlcurl8.11.1 <= 8.11.1affected
curlcurl8.11.0 <= 8.11.0affected
curlcurl8.10.1 <= 8.10.1affected
curlcurl8.10.0 <= 8.10.0affected
curlcurl8.9.1 <= 8.9.1affected
curlcurl8.9.0 <= 8.9.0affected
curlcurl8.8.0 <= 8.8.0affected
curlcurl8.7.1 <= 8.7.1affected
curlcurl8.7.0 <= 8.7.0affected
curlcurl8.6.0 <= 8.6.0affected
curlcurl8.5.0 <= 8.5.0affected
curlcurl8.4.0 <= 8.4.0affected
curlcurl8.3.0 <= 8.3.0affected
curlcurl8.2.1 <= 8.2.1affected
curlcurl8.2.0 <= 8.2.0affected
curlcurl8.1.2 <= 8.1.2affected
curlcurl8.1.1 <= 8.1.1affected
curlcurl8.1.0 <= 8.1.0affected
curlcurl8.0.1 <= 8.0.1affected
curlcurl8.0.0 <= 8.0.0affected
curlcurl7.88.1 <= 7.88.1affected
curlcurl7.88.0 <= 7.88.0affected
curlcurl7.87.0 <= 7.87.0affected
curlcurl7.86.0 <= 7.86.0affected
curlcurl7.85.0 <= 7.85.0affected
curlcurl7.84.0 <= 7.84.0affected
curlcurl7.83.1 <= 7.83.1affected
curlcurl7.83.0 <= 7.83.0affected
curlcurl7.82.0 <= 7.82.0affected
curlcurl7.81.0 <= 7.81.0affected
curlcurl7.80.0 <= 7.80.0affected
curlcurl7.79.1 <= 7.79.1affected
curlcurl7.79.0 <= 7.79.0affected
curlcurl7.78.0 <= 7.78.0affected
curlcurl7.77.0 <= 7.77.0affected
curlcurl7.76.1 <= 7.76.1affected
curlcurl7.76.0 <= 7.76.0affected
curlcurl7.75.0 <= 7.75.0affected
curlcurl7.74.0 <= 7.74.0affected
curlcurl7.73.0 <= 7.73.0affected
curlcurl7.72.0 <= 7.72.0affected
curlcurl7.71.1 <= 7.71.1affected
curlcurl7.71.0 <= 7.71.0affected
curlcurl7.70.0 <= 7.70.0affected
curlcurl7.69.1 <= 7.69.1affected
curlcurl7.69.0 <= 7.69.0affected
curlcurl7.68.0 <= 7.68.0affected
curlcurl7.67.0 <= 7.67.0affected
curlcurl7.66.0 <= 7.66.0affected
curlcurl7.65.3 <= 7.65.3affected
curlcurl7.65.2 <= 7.65.2affected
curlcurl7.65.1 <= 7.65.1affected
curlcurl7.65.0 <= 7.65.0affected
curlcurl7.64.1 <= 7.64.1affected
curlcurl7.64.0 <= 7.64.0affected
curlcurl7.63.0 <= 7.63.0affected
curlcurl7.62.0 <= 7.62.0affected
curlcurl7.61.1 <= 7.61.1affected
curlcurl7.61.0 <= 7.61.0affected
curlcurl7.60.0 <= 7.60.0affected
curlcurl7.59.0 <= 7.59.0affected
curlcurl7.58.0 <= 7.58.0affected
curlcurl7.57.0 <= 7.57.0affected
curlcurl7.56.1 <= 7.56.1affected
curlcurl7.56.0 <= 7.56.0affected
curlcurl7.55.1 <= 7.55.1affected
curlcurl7.55.0 <= 7.55.0affected
curlcurl7.54.1 <= 7.54.1affected
curlcurl7.54.0 <= 7.54.0affected
curlcurl7.53.1 <= 7.53.1affected
curlcurl7.53.0 <= 7.53.0affected
curlcurl7.52.1 <= 7.52.1affected
curlcurl7.52.0 <= 7.52.0affected
curlcurl7.51.0 <= 7.51.0affected
curlcurl7.50.3 <= 7.50.3affected
curlcurl7.50.2 <= 7.50.2affected
curlcurl7.50.1 <= 7.50.1affected
curlcurl7.50.0 <= 7.50.0affected
curlcurl7.49.1 <= 7.49.1affected
curlcurl7.49.0 <= 7.49.0affected
curlcurl7.48.0 <= 7.48.0affected
curlcurl7.47.1 <= 7.47.1affected
curlcurl7.47.0 <= 7.47.0affected
curlcurl7.46.0 <= 7.46.0affected
curlcurl7.45.0 <= 7.45.0affected
curlcurl7.44.0 <= 7.44.0affected
curlcurl7.43.0 <= 7.43.0affected
curlcurl7.42.1 <= 7.42.1affected
curlcurl7.42.0 <= 7.42.0affected
curlcurl7.41.0 <= 7.41.0affected
curlcurl7.40.0 <= 7.40.0affected
curlcurl7.39.0 <= 7.39.0affected
curlcurl7.38.0 <= 7.38.0affected
curlcurl7.37.1 <= 7.37.1affected
curlcurl7.37.0 <= 7.37.0affected
curlcurl7.36.0 <= 7.36.0affected
curlcurl7.35.0 <= 7.35.0affected
curlcurl7.34.0 <= 7.34.0affected
curlcurl7.33.0 <= 7.33.0affected

Weaknesses

  • CWE-522 Insufficiently Protected Credentials

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References