CURL-CVE-2026-8927

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-8927.html

Import Source

https://curl.se/docs/CURL-CVE-2026-8927.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-8927

Aliases

CVE-2026-8927

Published

2026-06-24T08:00:00Z

Modified

2026-06-24T08:07:05.879014Z

Summary

env-set cross-proxy Digest auth state leak

Details

When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against proxyA using Digest auth, a subsequent transfer routed through proxyB erroneously leaks the Proxy-Authorization: header intended solely for proxyA.

Database specific

{
    "affects": "lib",
    "package": "curl",
    "CWE": {
        "desc": "Authentication Bypass by Capture-replay",
        "id": "CWE-294"
    },
    "www": "https://curl.se/docs/CVE-2026-8927.html",
    "URL": "https://curl.se/docs/CVE-2026-8927.json",
    "issue": "https://hackerone.com/reports/3744543",
    "last_affected": "8.20.0",
    "severity": "Medium"
}

References

Credits

- Ady Elouej - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

7.12.0

Fixed

8.21.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

fc6eff13b5414caf6edf22d73a3239e074a04216

Fixed

5c225384b8d52c67ce8259c6e4203bc57aacb567

Affected versions

7.*

7.12.0

7.12.1

7.12.2

7.12.3

7.13.0

7.13.1

7.13.2

7.14.0

7.14.1

7.15.0

7.15.1

7.15.2

7.15.3

7.15.4

7.15.5

7.16.0

7.16.1

7.16.2

7.16.3

7.16.4

7.17.0

7.17.1

7.18.0

7.18.1

7.18.2

7.19.0

7.19.1

7.19.2

7.19.3

7.19.4

7.19.5

7.19.6

7.19.7

7.20.0

7.20.1

7.21.0

7.21.1

7.21.2

7.21.3

7.21.4

7.21.5

7.21.6

7.21.7

7.22.0

7.23.0

7.23.1

7.24.0

7.25.0

7.26.0

7.27.0

7.28.0

7.28.1

7.29.0

7.30.0

7.31.0

7.32.0

7.33.0

7.34.0

7.35.0

7.36.0

7.37.0

7.37.1

7.38.0

7.39.0

7.40.0

7.41.0

7.42.0

7.42.1

7.43.0

7.44.0

7.45.0

7.46.0

7.47.0

7.47.1

7.48.0

7.49.0

7.49.1

7.50.0

7.50.1

7.50.2

7.50.3

7.51.0

7.52.0

7.52.1

7.53.0

7.53.1

7.54.0

7.54.1

7.55.0

7.55.1

7.56.0

7.56.1

7.57.0

7.58.0

7.59.0

7.60.0

7.61.0

7.61.1

7.62.0

7.63.0

7.64.0

7.64.1

7.65.0

7.65.1

7.65.2

7.65.3

7.66.0

7.67.0

7.68.0

7.69.0

7.69.1

7.70.0

7.71.0

7.71.1

7.72.0

7.73.0

7.74.0

7.75.0

7.76.0

7.76.1

7.77.0

7.78.0

7.79.0

7.79.1

7.80.0

7.81.0

7.82.0

7.83.0

7.83.1

7.84.0

7.85.0

7.86.0

7.87.0

7.88.0

7.88.1

8.*

8.0.0

8.0.1

8.1.0

8.1.1

8.1.2

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.19.0

8.2.0

8.2.1

8.20.0

8.3.0

8.4.0

8.5.0

8.6.0

8.7.0

8.7.1

8.8.0

8.9.0

8.9.1

Other

before_ftp_statemachine

curl-7_12_0

curl-7_12_1

curl-7_12_2

curl-7_12_3

curl-7_13_0

curl-7_13_1

curl-7_13_2

curl-7_14_0

curl-7_14_1

curl-7_15_0

curl-7_15_1

curl-7_15_2

curl-7_15_3

curl-7_15_4

curl-7_15_5

curl-7_15_6-prepipeline

curl-7_16_0

curl-7_16_1

curl-7_16_2

curl-7_16_3

curl-7_16_4

curl-7_17_0

curl-7_17_0-preldapfix

curl-7_17_1

curl-7_18_0

curl-7_18_1

curl-7_18_2

curl-7_19_0

curl-7_19_1

curl-7_19_2

curl-7_19_3

curl-7_19_4

curl-7_19_5

curl-7_19_6

curl-7_19_7

curl-7_20_0

curl-7_20_1

curl-7_21_0

curl-7_21_1

curl-7_21_2

curl-7_21_3

curl-7_21_4

curl-7_21_5

curl-7_21_6

curl-7_21_7

curl-7_22_0

curl-7_23_0

curl-7_23_1

curl-7_24_0

curl-7_25_0

curl-7_26_0

curl-7_27_0

curl-7_28_0

curl-7_28_1

curl-7_29_0

curl-7_30_0

curl-7_31_0

curl-7_32_0

curl-7_33_0

curl-7_34_0

curl-7_35_0

curl-7_36_0

curl-7_37_0

curl-7_37_1

curl-7_38_0

curl-7_39_0

curl-7_40_0

curl-7_41_0

curl-7_42_0

curl-7_42_1

curl-7_43_0

curl-7_44_0

curl-7_45_0

curl-7_46_0

curl-7_47_0

curl-7_47_1

curl-7_48_0

curl-7_49_0

curl-7_49_1

curl-7_50_0

curl-7_50_1

curl-7_50_2

curl-7_50_3

curl-7_51_0

curl-7_52_0

curl-7_52_1

curl-7_53_0

curl-7_53_1

curl-7_54_0

curl-7_54_1

curl-7_55_0

curl-7_55_1

curl-7_56_0

curl-7_56_1

curl-7_57_0

curl-7_58_0

curl-7_59_0

curl-7_60_0

curl-7_61_0

curl-7_61_1

curl-7_62_0

curl-7_63_0

curl-7_64_0

curl-7_64_1

curl-7_65_0

curl-7_65_1

curl-7_65_2

curl-7_65_3

curl-7_66_0

curl-7_67_0

curl-7_68_0

curl-7_69_0

curl-7_69_1

curl-7_70_0

curl-7_71_0

curl-7_71_1

curl-7_72_0

curl-7_73_0

curl-7_74_0

curl-7_75_0

curl-7_76_0

curl-7_76_1

curl-7_77_0

curl-7_78_0

curl-7_79_0

curl-7_79_1

curl-7_80_0

curl-7_81_0

curl-7_82_0

curl-7_83_0

curl-7_83_1

curl-7_84_0

curl-7_85_0

curl-7_86_0

curl-7_87_0

curl-7_88_0

curl-7_88_1

curl-8_0_0

curl-8_0_1

curl-8_10_0

curl-8_10_1

curl-8_11_0

curl-8_11_1

curl-8_12_0

curl-8_12_1

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_18_0

curl-8_19_0

curl-8_1_0

curl-8_1_1

curl-8_1_2

curl-8_20_0

curl-8_2_0

curl-8_2_1

curl-8_3_0

curl-8_4_0

curl-8_5_0

curl-8_6_0

curl-8_7_0

curl-8_7_1

curl-8_8_0

curl-8_9_0

curl-8_9_1

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

tiny-curl-7_72_0

tiny-curl-8_4_0

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/5c225384b8d52c67ce8259c6e4203bc57aacb567",
        "signature_version": "v1",
        "target": {
            "file": "lib/urldata.h"
        },
        "id": "CURL-CVE-2026-8927-1a0c6a13",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "249901541397359699391036164270811196685",
                "172078901768951523804103097952423731296",
                "190570895038941515893744210575032446538",
                "31498056193008689981868568994607611615"
            ],
            "threshold": 0.9
        }
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/5c225384b8d52c67ce8259c6e4203bc57aacb567",
        "signature_version": "v1",
        "target": {
            "file": "lib/url.c",
            "function": "url_set_conn_proxies"
        },
        "id": "CURL-CVE-2026-8927-536f3c2a",
        "deprecated": false,
        "digest": {
            "function_hash": "291154372783688294644456481096551471603",
            "length": 2977.0
        }
    },
    {
        "signature_type": "Function",
        "source": "https://github.com/curl/curl.git/commit/5c225384b8d52c67ce8259c6e4203bc57aacb567",
        "signature_version": "v1",
        "target": {
            "file": "lib/url.c",
            "function": "Curl_close"
        },
        "id": "CURL-CVE-2026-8927-8e5a0f99",
        "deprecated": false,
        "digest": {
            "function_hash": "108501742541011625610382809889759431245",
            "length": 2235.0
        }
    },
    {
        "signature_type": "Line",
        "source": "https://github.com/curl/curl.git/commit/5c225384b8d52c67ce8259c6e4203bc57aacb567",
        "signature_version": "v1",
        "target": {
            "file": "lib/url.c"
        },
        "id": "CURL-CVE-2026-8927-f66aa01c",
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "99719859570556904404521593072169703635",
                "332982338190860309439232505874931661857",
                "237740169298000483514266910350050489422",
                "272304136448532278901451982226560871326",
                "270501895432923960841663077836635145169",
                "124922194065672035295929635149019045712",
                "334857077174051218518059358584455468992",
                "132974526410959760674586219544412541301"
            ],
            "threshold": 0.9
        }
    }
]

source

"https://curl.se/docs/CURL-CVE-2026-8927.json"

vanir_signatures_modified

"2026-06-24T08:07:05Z"