CURL-CVE-2026-3783

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-3783.html

Import Source

https://curl.se/docs/CURL-CVE-2026-3783.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-3783

Aliases

CVE-2026-3783

Published

2026-03-11T08:00:00Z

Modified

2026-03-13T05:56:49.943553Z

Summary

token leak with redirect and netrc

Details

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.

If the hostname that the first request is redirected to has information in the used .netrc file, with either of the machine or default keywords, curl would pass on the bearer token set for the first host also to the second one.

Database specific

{
    "package": "curl",
    "issue": "https://hackerone.com/reports/3583983",
    "severity": "Medium",
    "URL": "https://curl.se/docs/CVE-2026-3783.json",
    "affects": "both",
    "CWE": {
        "desc": "Insufficiently Protected Credentials",
        "id": "CWE-522"
    },
    "www": "https://curl.se/docs/CVE-2026-3783.html",
    "last_affected": "8.18.0"
}

References

Credits

- spectreglobalsec on hackerone - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.33.0

Fixed

8.19.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

06c1bea72faabb6fad4b7ef818aafaa336c9a7aa

Fixed

e3d7401a32a46516c9e5ee877e613e62ed35bddc

Affected versions

7.*

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.2.0

8.2.1

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CURL-CVE-2026-3783-2c073f62",
        "target": {
            "file": "lib/http.c",
            "function": "output_auth_headers"
        },
        "digest": {
            "length": 2311.0,
            "function_hash": "255706826044943101070019469023341439587"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/e3d7401a32a46516c9e5ee877e613e62ed35bddc"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CURL-CVE-2026-3783-789c9b54",
        "target": {
            "file": "lib/http.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "265035635595171995197433923812567969557",
                "41903243714880020210981115211245487159",
                "4794297661649355252422450833806603524",
                "93029269979120594134270703357211590550"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/e3d7401a32a46516c9e5ee877e613e62ed35bddc"
    }
]

source

"https://curl.se/docs/CURL-CVE-2026-3783.json"