CURL-CVE-2026-12064

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-12064.html

Import Source

https://curl.se/docs/CURL-CVE-2026-12064.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-12064

Aliases

CVE-2026-12064

Published

2026-06-24T08:00:00Z

Modified

2026-06-24T08:07:07.622902Z

Summary

proto-default skips SSH verification

Details

When a user invokes curl using a schemeless URL combined with --proto-default sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPTSSHHOSTPUBLICKEYSHA256 and CURLOPTSSHKNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPTDEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

Database specific

{
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2026-12064.json",
    "last_affected": "8.20.0",
    "issue": "https://hackerone.com/reports/3797526",
    "affects": "tool",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2026-12064.html",
    "CWE": {
        "desc": "Improper Validation of Certificate with Host Mismatch",
        "id": "CWE-297"
    }
}

References

Credits

- alienowo on hackerone (AntAISecurityLab) - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.81.0

Fixed

8.21.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

18270893abdb19f0ca170c118f8a2847dbd304be

Fixed

ab3bb8cd8be8f9d4acb97da0418abc279182041e

Affected versions

7.*

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.19.0

8.2.0

8.2.1

8.20.0

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Other

curl-7_81_0

curl-7_82_0

curl-7_83_0

curl-7_83_1

curl-7_84_0

curl-7_85_0

curl-7_86_0

curl-7_87_0

curl-7_88_0

curl-7_88_1

curl-8_0_0

curl-8_0_1

curl-8_10_0

curl-8_10_1

curl-8_11_0

curl-8_11_1

curl-8_12_0

curl-8_12_1

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_18_0

curl-8_19_0

curl-8_1_0

curl-8_1_1

curl-8_1_2

curl-8_20_0

curl-8_2_0

curl-8_2_1

curl-8_3_0

curl-8_4_0

curl-8_5_0

curl-8_6_0

curl-8_7_0

curl-8_7_1

curl-8_8_0

curl-8_9_0

curl-8_9_1

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

rc-8_21_0-1

rc-8_21_0-2

tiny-curl-8_4_0

Database specific

source

"https://curl.se/docs/CURL-CVE-2026-12064.json"

vanir_signatures_modified

"2026-06-24T08:07:07Z"

vanir_signatures

[
    {
        "target": {
            "file": "src/config2setopts.c",
            "function": "url_proto_and_rewrite"
        },
        "id": "CURL-CVE-2026-12064-b3eb1e8d",
        "source": "https://github.com/curl/curl.git/commit/ab3bb8cd8be8f9d4acb97da0418abc279182041e",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 1136.0,
            "function_hash": "93882114240828177653085948016490702110"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "src/config2setopts.c"
        },
        "id": "CURL-CVE-2026-12064-d5619c82",
        "source": "https://github.com/curl/curl.git/commit/ab3bb8cd8be8f9d4acb97da0418abc279182041e",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "140522849194369262228739833591374391075",
                "47558339863403131453033268292745221021",
                "15975670465097192282932354355781322912",
                "220902106392793621708295317072227537429",
                "198975573407202876764184453290488326371",
                "3746734021152446245522935287251443430",
                "170664250380509585141008070840604764918",
                "161765996811876613295849122885315630101",
                "5374207038386086385366965339124772674",
                "261071834960052502162471400348777792193",
                "315214669734780166251393141450779423952",
                "11348971201187702211989874254882715935",
                "304598240625625498609896974683940486911",
                "176332074864481965282682475802544330239",
                "61413842227513765548216582872062936189",
                "152095212190975018695576316498032629201",
                "12824638474895083873042971640073707981",
                "147131897269297204095220721174340290043",
                "201687314332511709623400018059706721695",
                "304787371272254069598680308305763126609",
                "293436386607034365026241199574672026404",
                "169057705388842471260387887033403810014",
                "136995815859804498330318491255401917183",
                "48843095567586818894551844502984755450",
                "119204995110705058858166647734024530825"
            ]
        },
        "signature_version": "v1"
    }
]