ALPINE-CVE-2026-12064

Source
https://security.alpinelinux.org/vuln/CVE-2026-12064
Import Source
https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-12064.json
JSON Data
https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-12064
Upstream
  • CVE-2026-12064
Published
2026-07-03T07:16:24.217Z
Modified
2026-07-07T10:30:04.627490085Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

When a user invokes curl using a schemeless URL combined with --proto-default sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPTSSHHOSTPUBLICKEYSHA256 and CURLOPTSSHKNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPTDEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

References

Affected packages

Alpine:v3.24 / curl

Package

Name
curl
Purl
pkg:apk/alpine/curl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.21.0-r0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-12064.json"