CVE-2026-9079
N/A
N/A
Summary
libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| curl | curl | 8.20.0 <= 8.20.0 | affected |
| curl | curl | 8.19.0 <= 8.19.0 | affected |
| curl | curl | 8.18.0 <= 8.18.0 | affected |
| curl | curl | 8.17.0 <= 8.17.0 | affected |
| curl | curl | 8.16.0 <= 8.16.0 | affected |
| curl | curl | 8.15.0 <= 8.15.0 | affected |
| curl | curl | 8.14.1 <= 8.14.1 | affected |
| curl | curl | 8.14.0 <= 8.14.0 | affected |
| curl | curl | 8.13.0 <= 8.13.0 | affected |
| curl | curl | 8.12.1 <= 8.12.1 | affected |
| curl | curl | 8.12.0 <= 8.12.0 | affected |
| curl | curl | 8.11.1 <= 8.11.1 | affected |
| curl | curl | 8.11.0 <= 8.11.0 | affected |
| curl | curl | 8.10.1 <= 8.10.1 | affected |
| curl | curl | 8.10.0 <= 8.10.0 | affected |
| curl | curl | 8.9.1 <= 8.9.1 | affected |
| curl | curl | 8.9.0 <= 8.9.0 | affected |
| curl | curl | 8.8.0 <= 8.8.0 | affected |
Weaknesses
- CWE-522 Insufficiently Protected Credentials
References
- https://curl.se/docs/CVE-2026-9079.json
- https://curl.se/docs/CVE-2026-9079.html
- https://hackerone.com/reports/3750295
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.