CVE-2026-6253

Summary

curl might erroneously pass on credentials for a first proxy to a second proxy.

This can happen when the following conditions are true:

  1. curl is setup to use specific different proxies for different URL schemes
  2. the first proxy needs credentials
  3. the second proxy uses no credentials
  4. while using the first proxy (using say http://), curl is asked to follow a redirect to a URL using another scheme (say https://), accessed using a second, different, proxy

Affected Software

VendorProductVersion RangeStatus
curlcurl8.19.0 <= 8.19.0affected
curlcurl8.18.0 <= 8.18.0affected
curlcurl8.17.0 <= 8.17.0affected
curlcurl8.16.0 <= 8.16.0affected
curlcurl8.15.0 <= 8.15.0affected
curlcurl8.14.1 <= 8.14.1affected
curlcurl8.14.0 <= 8.14.0affected
curlcurl8.13.0 <= 8.13.0affected
curlcurl8.12.1 <= 8.12.1affected
curlcurl8.12.0 <= 8.12.0affected
curlcurl8.11.1 <= 8.11.1affected
curlcurl8.11.0 <= 8.11.0affected
curlcurl8.10.1 <= 8.10.1affected
curlcurl8.10.0 <= 8.10.0affected
curlcurl8.9.1 <= 8.9.1affected
curlcurl8.9.0 <= 8.9.0affected
curlcurl8.8.0 <= 8.8.0affected
curlcurl8.7.1 <= 8.7.1affected
curlcurl8.7.0 <= 8.7.0affected
curlcurl8.6.0 <= 8.6.0affected
curlcurl8.5.0 <= 8.5.0affected
curlcurl8.4.0 <= 8.4.0affected
curlcurl8.3.0 <= 8.3.0affected
curlcurl8.2.1 <= 8.2.1affected
curlcurl8.2.0 <= 8.2.0affected
curlcurl8.1.2 <= 8.1.2affected
curlcurl8.1.1 <= 8.1.1affected
curlcurl8.1.0 <= 8.1.0affected
curlcurl8.0.1 <= 8.0.1affected
curlcurl8.0.0 <= 8.0.0affected
curlcurl7.88.1 <= 7.88.1affected
curlcurl7.88.0 <= 7.88.0affected
curlcurl7.87.0 <= 7.87.0affected
curlcurl7.86.0 <= 7.86.0affected
curlcurl7.85.0 <= 7.85.0affected
curlcurl7.84.0 <= 7.84.0affected
curlcurl7.83.1 <= 7.83.1affected
curlcurl7.83.0 <= 7.83.0affected
curlcurl7.82.0 <= 7.82.0affected
curlcurl7.81.0 <= 7.81.0affected
curlcurl7.80.0 <= 7.80.0affected
curlcurl7.79.1 <= 7.79.1affected
curlcurl7.79.0 <= 7.79.0affected
curlcurl7.78.0 <= 7.78.0affected
curlcurl7.77.0 <= 7.77.0affected
curlcurl7.76.1 <= 7.76.1affected
curlcurl7.76.0 <= 7.76.0affected
curlcurl7.75.0 <= 7.75.0affected
curlcurl7.74.0 <= 7.74.0affected
curlcurl7.73.0 <= 7.73.0affected
curlcurl7.72.0 <= 7.72.0affected
curlcurl7.71.1 <= 7.71.1affected
curlcurl7.71.0 <= 7.71.0affected
curlcurl7.70.0 <= 7.70.0affected
curlcurl7.69.1 <= 7.69.1affected
curlcurl7.69.0 <= 7.69.0affected
curlcurl7.68.0 <= 7.68.0affected
curlcurl7.67.0 <= 7.67.0affected
curlcurl7.66.0 <= 7.66.0affected
curlcurl7.65.3 <= 7.65.3affected
curlcurl7.65.2 <= 7.65.2affected
curlcurl7.65.1 <= 7.65.1affected
curlcurl7.65.0 <= 7.65.0affected
curlcurl7.64.1 <= 7.64.1affected
curlcurl7.64.0 <= 7.64.0affected
curlcurl7.63.0 <= 7.63.0affected
curlcurl7.62.0 <= 7.62.0affected
curlcurl7.61.1 <= 7.61.1affected
curlcurl7.61.0 <= 7.61.0affected
curlcurl7.60.0 <= 7.60.0affected
curlcurl7.59.0 <= 7.59.0affected
curlcurl7.58.0 <= 7.58.0affected
curlcurl7.57.0 <= 7.57.0affected
curlcurl7.56.1 <= 7.56.1affected
curlcurl7.56.0 <= 7.56.0affected
curlcurl7.55.1 <= 7.55.1affected
curlcurl7.55.0 <= 7.55.0affected
curlcurl7.54.1 <= 7.54.1affected
curlcurl7.54.0 <= 7.54.0affected
curlcurl7.53.1 <= 7.53.1affected
curlcurl7.53.0 <= 7.53.0affected
curlcurl7.52.1 <= 7.52.1affected
curlcurl7.52.0 <= 7.52.0affected
curlcurl7.51.0 <= 7.51.0affected
curlcurl7.50.3 <= 7.50.3affected
curlcurl7.50.2 <= 7.50.2affected
curlcurl7.50.1 <= 7.50.1affected
curlcurl7.50.0 <= 7.50.0affected
curlcurl7.49.1 <= 7.49.1affected
curlcurl7.49.0 <= 7.49.0affected
curlcurl7.48.0 <= 7.48.0affected
curlcurl7.47.1 <= 7.47.1affected
curlcurl7.47.0 <= 7.47.0affected
curlcurl7.46.0 <= 7.46.0affected
curlcurl7.45.0 <= 7.45.0affected
curlcurl7.44.0 <= 7.44.0affected
curlcurl7.43.0 <= 7.43.0affected
curlcurl7.42.1 <= 7.42.1affected
curlcurl7.42.0 <= 7.42.0affected
curlcurl7.41.0 <= 7.41.0affected
curlcurl7.40.0 <= 7.40.0affected
curlcurl7.39.0 <= 7.39.0affected
curlcurl7.38.0 <= 7.38.0affected
curlcurl7.37.1 <= 7.37.1affected
curlcurl7.37.0 <= 7.37.0affected
curlcurl7.36.0 <= 7.36.0affected
curlcurl7.35.0 <= 7.35.0affected
curlcurl7.34.0 <= 7.34.0affected
curlcurl7.33.0 <= 7.33.0affected
curlcurl7.32.0 <= 7.32.0affected
curlcurl7.31.0 <= 7.31.0affected
curlcurl7.30.0 <= 7.30.0affected
curlcurl7.29.0 <= 7.29.0affected
curlcurl7.28.1 <= 7.28.1affected
curlcurl7.28.0 <= 7.28.0affected
curlcurl7.27.0 <= 7.27.0affected
curlcurl7.26.0 <= 7.26.0affected
curlcurl7.25.0 <= 7.25.0affected
curlcurl7.24.0 <= 7.24.0affected
curlcurl7.23.1 <= 7.23.1affected
curlcurl7.23.0 <= 7.23.0affected
curlcurl7.22.0 <= 7.22.0affected
curlcurl7.21.7 <= 7.21.7affected
curlcurl7.21.6 <= 7.21.6affected
curlcurl7.21.5 <= 7.21.5affected
curlcurl7.21.4 <= 7.21.4affected
curlcurl7.21.3 <= 7.21.3affected
curlcurl7.21.2 <= 7.21.2affected
curlcurl7.21.1 <= 7.21.1affected
curlcurl7.21.0 <= 7.21.0affected
curlcurl7.20.1 <= 7.20.1affected
curlcurl7.20.0 <= 7.20.0affected
curlcurl7.19.7 <= 7.19.7affected
curlcurl7.19.6 <= 7.19.6affected
curlcurl7.19.5 <= 7.19.5affected
curlcurl7.19.4 <= 7.19.4affected
curlcurl7.19.3 <= 7.19.3affected
curlcurl7.19.2 <= 7.19.2affected
curlcurl7.19.1 <= 7.19.1affected
curlcurl7.19.0 <= 7.19.0affected
curlcurl7.18.2 <= 7.18.2affected
curlcurl7.18.1 <= 7.18.1affected
curlcurl7.18.0 <= 7.18.0affected
curlcurl7.17.1 <= 7.17.1affected
curlcurl7.17.0 <= 7.17.0affected
curlcurl7.16.4 <= 7.16.4affected
curlcurl7.16.3 <= 7.16.3affected
curlcurl7.16.2 <= 7.16.2affected
curlcurl7.16.1 <= 7.16.1affected
curlcurl7.16.0 <= 7.16.0affected
curlcurl7.15.5 <= 7.15.5affected
curlcurl7.15.4 <= 7.15.4affected
curlcurl7.15.3 <= 7.15.3affected
curlcurl7.15.2 <= 7.15.2affected
curlcurl7.15.1 <= 7.15.1affected
curlcurl7.15.0 <= 7.15.0affected
curlcurl7.14.1 <= 7.14.1affected

Weaknesses

  • CWE-522 Insufficiently Protected Credentials

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References