CURL-CVE-2026-7168

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-7168.html

Import Source

https://curl.se/docs/CURL-CVE-2026-7168.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-7168

Aliases

CVE-2026-7168

Published

2026-04-29T08:00:00Z

Modified

2026-05-27T02:29:14.550385Z

Summary

cross-proxy Digest auth state leak

Details

Successfully using libcurl to do a transfer over a specific HTTP proxy (proxyA) with Digest authentication and then changing the proxy host to a second one (proxyB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to proxyB.

Database specific

{
    "package": "curl",
    "severity": "Medium",
    "URL": "https://curl.se/docs/CVE-2026-7168.json",
    "affects": "lib",
    "CWE": {
        "desc": "Authentication Bypass by Capture-replay",
        "id": "CWE-294"
    },
    "last_affected": "8.19.0",
    "issue": "https://hackerone.com/reports/3697719",
    "www": "https://curl.se/docs/CVE-2026-7168.html"
}

References

Credits

- Muhamad Arga Reksapati - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.12.0

Fixed

8.20.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

fc6eff13b5414caf6edf22d73a3239e074a04216

Fixed

c1cfdf59acbaf9504c4578d4cf56cdd7c8594507

Affected versions

7.*

7.12.0

7.12.1

7.12.2

7.12.3

7.13.0

7.13.1

7.13.2

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3

7.16.4

7.17.0

7.17.1

7.18.0

7.18.1

7.18.2

7.19.0

7.19.1

7.19.2

7.19.3

7.19.4

7.19.5

7.19.6

7.19.7

7.20.0

7.20.1

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.19.0

8.2.0

8.2.1

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Other

before_ftp_statemachine

curl-7_12_0

curl-7_12_1

curl-7_12_2

curl-7_12_3

curl-7_13_0

curl-7_13_1

curl-7_13_2

curl-7_14_0

curl-7_14_1

curl-7_15_0

curl-7_15_1

curl-7_15_2

curl-7_15_3

curl-7_15_4

curl-7_15_5

curl-7_15_6-prepipeline

curl-7_16_0

curl-7_16_1

curl-7_16_2

curl-7_16_3

curl-7_16_4

curl-7_17_0

curl-7_17_0-preldapfix

curl-7_17_1

curl-7_18_0

curl-7_18_1

curl-7_18_2

curl-7_19_0

curl-7_19_1

curl-7_19_2

curl-7_19_3

curl-7_19_4

curl-7_19_5

curl-7_19_6

curl-7_19_7

curl-7_20_0

curl-7_20_1

curl-7_21_0

curl-7_21_1

curl-7_21_2

curl-7_21_3

curl-7_21_4

curl-7_21_5

curl-7_21_6

curl-7_21_7

curl-7_22_0

curl-7_23_0

curl-7_23_1

curl-7_24_0

curl-7_25_0

curl-7_26_0

curl-7_27_0

curl-7_28_0

curl-7_28_1

curl-7_29_0

curl-7_30_0

curl-7_31_0

curl-7_32_0

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_42_1

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

curl-7_49_0

curl-7_49_1

curl-7_50_0

curl-7_50_1

curl-7_50_2

curl-7_50_3

curl-7_51_0

curl-7_52_0

curl-7_52_1

curl-7_53_0

curl-7_53_1

curl-7_54_0

curl-7_54_1

curl-7_55_0

curl-7_55_1

curl-7_56_0

curl-7_56_1

curl-7_57_0

curl-7_58_0

curl-7_59_0

curl-7_60_0

curl-7_61_0

curl-7_61_1

curl-7_62_0

curl-7_63_0

curl-7_64_0

curl-7_64_1

curl-7_65_0

curl-7_65_1

curl-7_65_2

curl-7_65_3

curl-7_66_0

curl-7_67_0

curl-7_68_0

curl-7_69_0

curl-7_69_1

curl-7_70_0

curl-7_71_0

curl-7_71_1

curl-7_72_0

curl-7_73_0

curl-7_74_0

curl-7_75_0

curl-7_76_0

curl-7_76_1

curl-7_77_0

curl-7_78_0

curl-7_79_0

curl-7_79_1

curl-7_80_0

curl-7_81_0

curl-7_82_0

curl-7_83_0

curl-7_83_1

curl-7_84_0

curl-7_85_0

curl-7_86_0

curl-7_87_0

curl-7_88_0

curl-7_88_1

curl-8_0_0

curl-8_0_1

curl-8_10_0

curl-8_10_1

curl-8_11_0

curl-8_11_1

curl-8_12_0

curl-8_12_1

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_18_0

curl-8_19_0

curl-8_1_0

curl-8_1_1

curl-8_1_2

curl-8_2_0

curl-8_2_1

curl-8_3_0

curl-8_4_0

curl-8_5_0

curl-8_6_0

curl-8_7_0

curl-8_7_1

curl-8_8_0

curl-8_9_0

curl-8_9_1

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

tiny-curl-7_72_0

tiny-curl-8_4_0

Database specific

vanir_signatures_modified

"2026-05-27T02:29:14Z"

source

"https://curl.se/docs/CURL-CVE-2026-7168.json"

vanir_signatures

[
    {
        "signature_type": "Function",
        "target": {
            "function": "setopt_cptr_proxy",
            "file": "lib/setopt.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-7168-2df49b29",
        "source": "https://github.com/curl/curl.git/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507",
        "digest": {
            "function_hash": "61091634436092434602550532891846171597",
            "length": 3175.0
        }
    },
    {
        "signature_type": "Line",
        "target": {
            "file": "lib/setopt.c"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CURL-CVE-2026-7168-4f9a4c84",
        "source": "https://github.com/curl/curl.git/commit/c1cfdf59acbaf9504c4578d4cf56cdd7c8594507",
        "digest": {
            "line_hashes": [
                "289191531952819915542830893291096787737",
                "59095837547675122187763704309080974731",
                "167006278873572358673810952726165764949",
                "224868766777062336296023368828860473619",
                "333014249335962099969630568066425036457",
                "250872193381835103837860955535302533178",
                "66613185124136658966388644022618296204",
                "16789802708858953211452692390131809950",
                "193982464444589644999129290801954628985",
                "266841901464165558368188423363496994960",
                "335292972306276611749196570122101149273",
                "130847580014203461093210467035637337697"
            ],
            "threshold": 0.9
        }
    }
]