CURL-CVE-2026-7009

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-7009.html

Import Source

https://curl.se/docs/CURL-CVE-2026-7009.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-7009

Aliases

CVE-2026-7009

Published

2026-04-29T08:00:00Z

Modified

2026-04-29T14:05:08.419817Z

Summary

OCSP stapling bypass with Apple SecTrust

Details

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.

Database specific

{
    "last_affected": "8.19.0",
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2026-7009.json",
    "severity": "Medium",
    "issue": "https://hackerone.com/reports/3694390",
    "www": "https://curl.se/docs/CVE-2026-7009.html",
    "CWE": {
        "desc": "Improper Certificate Validation",
        "id": "CWE-295"
    },
    "affects": "both"
}

References

Credits

- Carlos Carrillo - FINDER
- Stefan Eissing - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.17.0

Fixed

8.20.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

eefd03c572996e5de4dec4fe295ad6f103e0eefc

Fixed

51905671e07f087e28e5741063646c379fe17d89

Affected versions

8.*

8.17.0

8.18.0

8.19.0

Database specific

source

"https://curl.se/docs/CURL-CVE-2026-7009.json"

vanir_signatures

[
    {
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "281561516296048034461942107792512658740",
                "130495573668886043558713801524753297430",
                "28032674530989727382368037384118812857",
                "58789915446143880879127277405553830503",
                "196859332260118428262127076906485400635",
                "241720696807293931685546187667992107003",
                "10600314697658732467727494117451947703",
                "277108684260883679066498837699569709972",
                "161630115168354249620100559294369861276",
                "268326472292602632831779513730604275699",
                "77929905525980707375128624556306579873"
            ],
            "threshold": 0.9
        },
        "source": "https://github.com/curl/curl.git/commit/51905671e07f087e28e5741063646c379fe17d89",
        "target": {
            "file": "lib/vtls/openssl.c"
        },
        "id": "CURL-CVE-2026-7009-10477259"
    },
    {
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 957.0,
            "function_hash": "158376452266852961534051614206996832747"
        },
        "source": "https://github.com/curl/curl.git/commit/51905671e07f087e28e5741063646c379fe17d89",
        "target": {
            "function": "ossl_apple_verify",
            "file": "lib/vtls/openssl.c"
        },
        "id": "CURL-CVE-2026-7009-63610a8e"
    }
]

vanir_signatures_modified

"2026-04-29T14:05:08Z"