CVE-2026-8926

Summary

When asking curl to use a .netrc file to find credentials and at the same time specifying a URL with a username(without a password), like https://user@example.com/, curl could wrongly get and use the password for another user set in the .netrc file for that host if such a one exists and there is no match for the specified user.

Affected Software

VendorProductVersion RangeStatus
curlcurl8.20.0 <= 8.20.0affected
curlcurl8.19.0 <= 8.19.0affected
curlcurl8.18.0 <= 8.18.0affected
curlcurl8.17.0 <= 8.17.0affected
curlcurl8.16.0 <= 8.16.0affected
curlcurl8.15.0 <= 8.15.0affected
curlcurl8.14.1 <= 8.14.1affected
curlcurl8.14.0 <= 8.14.0affected
curlcurl8.13.0 <= 8.13.0affected
curlcurl8.12.1 <= 8.12.1affected
curlcurl8.12.0 <= 8.12.0affected
curlcurl8.11.1 <= 8.11.1affected

Weaknesses

  • CWE-522 Insufficiently Protected Credentials

References