CVE-2026-9079

Summary

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

Affected Software

VendorProductVersion RangeStatus
curlcurl8.20.0 <= 8.20.0affected
curlcurl8.19.0 <= 8.19.0affected
curlcurl8.18.0 <= 8.18.0affected
curlcurl8.17.0 <= 8.17.0affected
curlcurl8.16.0 <= 8.16.0affected
curlcurl8.15.0 <= 8.15.0affected
curlcurl8.14.1 <= 8.14.1affected
curlcurl8.14.0 <= 8.14.0affected
curlcurl8.13.0 <= 8.13.0affected
curlcurl8.12.1 <= 8.12.1affected
curlcurl8.12.0 <= 8.12.0affected
curlcurl8.11.1 <= 8.11.1affected
curlcurl8.11.0 <= 8.11.0affected
curlcurl8.10.1 <= 8.10.1affected
curlcurl8.10.0 <= 8.10.0affected
curlcurl8.9.1 <= 8.9.1affected
curlcurl8.9.0 <= 8.9.0affected
curlcurl8.8.0 <= 8.8.0affected

Weaknesses

  • CWE-522 Insufficiently Protected Credentials

References