CURL-CVE-2026-3784

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-3784.html

Import Source

https://curl.se/docs/CURL-CVE-2026-3784.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-3784

Aliases

CVE-2026-3784

Published

2026-03-11T08:00:00Z

Modified

2026-03-13T05:56:49.393824Z

Summary

wrong proxy connection reuse with credentials

Details

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Database specific

{
    "package": "curl",
    "issue": "https://hackerone.com/reports/3584903",
    "severity": "Low",
    "URL": "https://curl.se/docs/CVE-2026-3784.json",
    "affects": "both",
    "CWE": {
        "desc": "Authentication Bypass by Primary Weakness",
        "id": "CWE-305"
    },
    "www": "https://curl.se/docs/CVE-2026-3784.html",
    "last_affected": "8.18.0"
}

References

Credits

- Muhamad Arga Reksapati (HackerOne: nobcoder) - FINDER
- Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.7

Fixed

8.19.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4

Fixed

5f13a7645e565c5c1a06f3ef86e97afb856fb364

Affected versions

7.*

7.10

7.10.1

7.10.2

7.10.3

7.10.4

7.10.5

7.10.6

7.10.7

7.10.8

7.11.0

7.11.1

7.11.2

7.12.0

7.12.1

7.12.2

7.12.3

7.13.0

7.13.1

7.13.2

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3

7.16.4

7.17.0

7.17.1

7.18.0

7.18.1

7.18.2

7.19.0

7.19.1

7.19.2

7.19.3

7.19.4

7.19.5

7.19.6

7.19.7

7.20.0

7.20.1

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.7

7.7.1

7.7.2

7.7.3

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.8

7.8.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

7.9

7.9.1

7.9.2

7.9.3

7.9.4

7.9.5

7.9.6

7.9.7

7.9.8

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.2.0

8.2.1

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CURL-CVE-2026-3784-1563ccc6",
        "target": {
            "file": "lib/url.c",
            "function": "proxy_info_matches"
        },
        "digest": {
            "length": 250.0,
            "function_hash": "304424982618101118051780626607065937137"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CURL-CVE-2026-3784-24fdd663",
        "target": {
            "file": "lib/url.c",
            "function": "socks_proxy_info_matches"
        },
        "digest": {
            "length": 251.0,
            "function_hash": "156847319230870095583887509199151235125"
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CURL-CVE-2026-3784-db376948",
        "target": {
            "file": "lib/url.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "28198451978076953179959188918451268147",
                "281673914764183415723044625038716534191",
                "200855833354261436815608522668489466846",
                "5387804322910666783572395908044232661",
                "236020795518562151691835007362979410387",
                "17450557644387912671244308544988815862",
                "143048806250994210279637270903948951646",
                "140460714839795236180824974953309975661",
                "333720084210032823607267343226770582379",
                "331697448246752651778648505556653532906",
                "22128409967120680154956528188638186822",
                "137746103134972144068270578958105877138",
                "65788874135120305231986682270701016923",
                "60737932765286278430331372663472782818",
                "184914865177630377594351218661619057487",
                "301989571442316518697531570240250833782",
                "177716688628404441639553594179643257215",
                "67479828686876523434398651942505625370",
                "172521746541650491399053767548077956775",
                "197718837176355740128997674513855282001",
                "139478862402738275211722289962537500430"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/curl/curl.git/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364"
    }
]

source

"https://curl.se/docs/CURL-CVE-2026-3784.json"