CURL-CVE-2026-6429
- Source
- https://curl.se/docs/CVE-2026-6429.html
- Import Source
- https://curl.se/docs/CURL-CVE-2026-6429.json
- JSON Data
- https://api.osv.dev/v1/vulns/CURL-CVE-2026-6429
- Aliases
-
- CVE-2026-6429
- Published
- 2026-04-29T08:00:00Z
- Modified
- 2026-04-29T08:02:58.762915Z
- Summary
- netrc credential leak with reused proxy connection
- Details
-
When asked to both use a
.netrcfile for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances. - Database specific
{ "severity": "Medium", "URL": "https://curl.se/docs/CVE-2026-6429.json", "www": "https://curl.se/docs/CVE-2026-6429.html", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "last_affected": "8.19.0", "affects": "lib", "package": "curl", "issue": "https://hackerone.com/reports/3677759" }- References
-
- Credits
-
-
- Muhamad Arga Reksapati - FINDER
-
- Daniel Stenberg - REMEDIATION_DEVELOPER
-
Affected packages
Git / github.com/curl/curl.git
Affected ranges
- Type
- SEMVER
- Events
-
Introduced7.14.0Fixed8.20.0
- Type
- GIT
- Repo
- https://github.com/curl/curl.git
- Events
Affected versions
7.*
7.14.0
7.14.1
7.15.0
7.15.1
7.15.2
7.15.3
7.15.4
7.15.5
7.16.0
7.16.1
7.16.2
7.16.3
7.16.4
7.17.0
7.17.1
7.18.0
7.18.1
7.18.2
7.19.0
7.19.1
7.19.2
7.19.3
7.19.4
7.19.5
7.19.6
7.19.7
7.20.0
7.20.1
7.21.0
7.21.1
7.21.2
7.21.3
7.21.4
7.21.5
7.21.6
7.21.7
7.22.0
7.23.0
7.23.1
7.24.0
7.25.0
7.26.0
7.27.0
7.28.0
7.28.1
7.29.0
7.30.0
7.31.0
7.32.0
7.33.0
7.34.0
7.35.0
7.36.0
7.37.0
7.37.1
7.38.0
7.39.0
7.40.0
7.41.0
7.42.0
7.42.1
7.43.0
7.44.0
7.45.0
7.46.0
7.47.0
7.47.1
7.48.0
7.49.0
7.49.1
7.50.0
7.50.1
7.50.2
7.50.3
7.51.0
7.52.0
7.52.1
7.53.0
7.53.1
7.54.0
7.54.1
7.55.0
7.55.1
7.56.0
7.56.1
7.57.0
7.58.0
7.59.0
7.60.0
7.61.0
7.61.1
7.62.0
7.63.0
7.64.0
7.64.1
7.65.0
7.65.1
7.65.2
7.65.3
7.66.0
7.67.0
7.68.0
7.69.0
7.69.1
7.70.0
7.71.0
7.71.1
7.72.0
7.73.0
7.74.0
7.75.0
7.76.0
7.76.1
7.77.0
7.78.0
7.79.0
7.79.1
7.80.0
7.81.0
7.82.0
7.83.0
7.83.1
7.84.0
7.85.0
7.86.0
7.87.0
7.88.0
7.88.1
8.*
8.0.0
8.0.1
8.1.0
8.1.1
8.1.2
8.10.0
8.10.1
8.11.0
8.11.1
8.12.0
8.12.1
8.13.0
8.14.0
8.14.1
8.15.0
8.16.0
8.17.0
8.18.0
8.19.0
8.2.0
8.2.1
8.3.0
8.4.0
8.5.0
8.6.0
8.7.0
8.7.1
8.8.0
8.9.0
8.9.1
Database specific
source
"https://curl.se/docs/CURL-CVE-2026-6429.json"
vanir_signatures_modified
"2026-04-29T08:02:58Z"
vanir_signatures
[
{
"signature_type": "Line",
"digest": {
"line_hashes": [
"262213279479304691972969913138634515263",
"137814960471996890575448468948194219978",
"50647611652183504084896164165578206006",
"313544927870996035833549893821412042075",
"213627143512089000693688273867763011737",
"193661413349536839107381309482446297033",
"58346947874914040767163299189272697882",
"20138485302683238274812364057704738240",
"2190266128230875505585425926435447414",
"247245953303230984584862869028302822875",
"55283663152096291166892001986410813066",
"112264981227469287977008014568145243400",
"280469479293568887108636019364765783070",
"14441507907980708400703379047456717228",
"162336657417133345383254175169542661232",
"83472362091998835129904417069979942910",
"317211738324733072550656731205738874064",
"9637660824377309761791143616353810111",
"103658830723321277812192386937954357653",
"223413030724207746052045203621174229200",
"165683988626159830439846933662587513675",
"131346458280825504993606606931884909547",
"252860276522399556941931934634122346641",
"277363589187611531359930456444704907499",
"86026291160034698059020022095435475234",
"234295550259999560674514675547733374013",
"101670818155780293109649044997561647112",
"127853622813105063628594769937513857348",
"287367208832974364137403388033130346313",
"138334278465857480366915537094158672242",
"314870779521239701170915910098283510812",
"170945051872164803635585811380229900085",
"254585559388587421305490088715802184535",
"107722876009911382663670587869377432544",
"320541052570414647988547494354735701868",
"9637660824377309761791143616353810111",
"92263331689177025869176240760459863500",
"180696501278029171812115912503094143734",
"55644356499247268558106989670457896287",
"251923338836784443979564565311550153228",
"132163973743797973178495467941604025998",
"329615567982486832622199821729773006961",
"87501072607581407836275729653507131457",
"107584785026934731488716812832006151101",
"301497188995651378874451872512076462662",
"185658610134303906426206857403109397165",
"62614292991704433093761282607717995859",
"231796839391158856141188178693780680118",
"258924733029541543702786726108937435455",
"329668925124041054722954862497211316480",
"302644097870213801926571112282581227751",
"161253257475109692977054986309718651098",
"210900264819741471058694533536688582327",
"252935111858746281325765865069989177309",
"134076049495414102025307212910596160676",
"325230785338800994283858617489882591598",
"329643126094827922025492935102351275246",
"12686751685437894086239103695674201103",
"114400753959749156253333537240887015350",
"220568821899006542532161294027161901077",
"285100698413113740915749981020332543840",
"329668925124041054722954862497211316480",
"86490769393219743705193535127466686690",
"169439040966931523384077719728185904691",
"197306022009173828795398986285420065519",
"109855082790205726028689834937228754987"
],
"threshold": 0.9
},
"id": "CURL-CVE-2026-6429-045e08fa",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/b4024bf808bd558026fdc6096e8457f199ace306",
"target": {
"file": "lib/http.c"
}
},
{
"signature_type": "Function",
"digest": {
"length": 4669.0,
"function_hash": "335462080756010715635133987829817414775"
},
"id": "CURL-CVE-2026-6429-d5c06972",
"signature_version": "v1",
"deprecated": false,
"source": "https://github.com/curl/curl.git/commit/b4024bf808bd558026fdc6096e8457f199ace306",
"target": {
"file": "lib/http.c",
"function": "Curl_http_follow"
}
}
]