CURL-CVE-2026-6276

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-6276.html

Import Source

https://curl.se/docs/CURL-CVE-2026-6276.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-6276

Aliases

CVE-2026-6276

Published

2026-04-29T08:00:00Z

Modified

2026-04-29T14:05:08.676955Z

Summary

stale custom cookie host causes cookie leak

Details

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.

Database specific

{
    "last_affected": "8.19.0",
    "package": "curl",
    "www": "https://curl.se/docs/CVE-2026-6276.html",
    "CWE": {
        "desc": "Origin Validation Error",
        "id": "CWE-346"
    },
    "severity": "Low",
    "URL": "https://curl.se/docs/CVE-2026-6276.json",
    "issue": "https://hackerone.com/reports/3671818",
    "affects": "lib"
}

References

Credits

- Muhamad Arga Reksapati - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.71.0

Fixed

8.20.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

e15e51384a423be31318b3c9c7d612a1aae661fd

Fixed

3a19987a87f393d9394fe5acc7643f6c263c92db

Affected versions

7.*

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.19.0

8.2.0

8.2.1

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-0ac65ced",
        "digest": {
            "length": 1414.0,
            "function_hash": "87592061230657955318981218133684999975"
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Function",
        "target": {
            "file": "lib/http.c",
            "function": "http_header_s"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-0ffe0f69",
        "digest": {
            "line_hashes": [
                "171988240512984612269587551632163038571",
                "75389831611962138348117264801186539779",
                "73309598378597236808913704521649040122",
                "309646044060919705357756477712025259850"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Line",
        "target": {
            "file": "lib/request.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-11ff6443",
        "digest": {
            "length": 1702.0,
            "function_hash": "32051988689081819522737095878233749408"
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Function",
        "target": {
            "file": "lib/http.c",
            "function": "http_cookies"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-2729c5da",
        "digest": {
            "length": 2418.0,
            "function_hash": "302147203344973433846057051405572447583"
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Function",
        "target": {
            "file": "lib/url.c",
            "function": "Curl_close"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-4f4a3478",
        "digest": {
            "line_hashes": [
                "174911612641010941780281456357795994083",
                "182851755633630007462614611881954198795",
                "264369094720985994471578876087369011512",
                "223266319994001853435859657481562263016"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Line",
        "target": {
            "file": "lib/request.h"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-5741a933",
        "digest": {
            "length": 1808.0,
            "function_hash": "305791396478226075161736883888702136045"
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Function",
        "target": {
            "file": "lib/http.c",
            "function": "http_set_aptr_host"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-64949095",
        "digest": {
            "line_hashes": [
                "283982150811995305986753465288461254359",
                "13272546088090968712004108453229921672",
                "167426382410054945077929403440748535987",
                "30112886187398335960284659399942913113",
                "89959965356516376283576457035109926291",
                "65012684279830032400373560626778044514",
                "277638126568657774373486091485254830257",
                "16357392304951050524263955452404846358",
                "98648851675095774467569604512276434063",
                "211464355238834856707255458651466173398",
                "100175197604038361224512095789956406932",
                "109730848940614471037942941140006037492",
                "140193860686819141126457796534230004668",
                "286575543071640766658936213512709959211",
                "46397033835876317614014667242428368194",
                "243253942449659807455321154521747228966",
                "165774944775710093316824606978267144930",
                "258653442541979759167112828639262956820",
                "192064049689208402819665008320946912087"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Line",
        "target": {
            "file": "lib/http.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-bd4dcaea",
        "digest": {
            "line_hashes": [
                "254921028774265211208121895098925147474",
                "304514420562509900711684113576259828185",
                "254392577978580508779840959026138582541",
                "222543298672355698477439219408390343716"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Line",
        "target": {
            "file": "lib/url.c"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-c0002ed9",
        "digest": {
            "length": 1532.0,
            "function_hash": "53635957160524668241827803467331392725"
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Function",
        "target": {
            "file": "lib/request.c",
            "function": "Curl_req_hard_reset"
        }
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-6276-ebf2e4e4",
        "digest": {
            "line_hashes": [
                "47901756535975908674893528439717975135",
                "117783477264053496164275795880668466993",
                "5957519917623989520335370390434225490",
                "189490742605084598927439303412946635010",
                "52306912415285677421639882584265520515",
                "174420618053987917779352372379083604925"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db",
        "signature_type": "Line",
        "target": {
            "file": "lib/urldata.h"
        }
    }
]

source

"https://curl.se/docs/CURL-CVE-2026-6276.json"

vanir_signatures_modified

"2026-04-29T14:05:08Z"