CVE-2026-9546
N/A
N/A
Summary
A vulnerability in libcurl caused the HTTP Referer: header to persist even
when explicitly cleared. While the documentation states that passing NULL to
CURLOPT_REFERER suppresses the header, the option failed to clear the
internal state. As a result the previous referrer string was erroneously
reused and sent in subsequent requests, potentially leaking sensitive
information to unintended servers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| curl | curl | 8.20.0 <= 8.20.0 | affected |
| curl | curl | 8.19.0 <= 8.19.0 | affected |
| curl | curl | 8.18.0 <= 8.18.0 | affected |
Weaknesses
- CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
References
- https://curl.se/docs/CVE-2026-9546.json
- https://curl.se/docs/CVE-2026-9546.html
- https://hackerone.com/reports/3754343
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.