CURL-CVE-2026-9079

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-9079.html

Import Source

https://curl.se/docs/CURL-CVE-2026-9079.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-9079

Aliases

CVE-2026-9079

Published

2026-06-24T08:00:00Z

Modified

2026-06-24T14:05:45.202035Z

Summary

stale proxy password leak

Details

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

Database specific

{
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2026-9079.json",
    "last_affected": "8.20.0",
    "issue": "https://hackerone.com/reports/3750295",
    "affects": "lib",
    "severity": "Medium",
    "www": "https://curl.se/docs/CVE-2026-9079.html",
    "CWE": {
        "desc": "Insufficiently Protected Credentials",
        "id": "CWE-522"
    }
}

References

Credits

- Guancheng Li - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.8.0

Fixed

8.21.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

d5e83eb745762f48d8fafadc5df5dd3ae8d8941e

Fixed

88c7e16cceec816a2df45c899d49b1e85513f193

Affected versions

8.*

8.10.0

8.10.1

8.11.0

8.11.1

8.12.0

8.12.1

8.13.0

8.14.0

8.14.1

8.15.0

8.16.0

8.17.0

8.18.0

8.19.0

8.20.0

8.8.0

8.9.0

8.9.1

Other

curl-8_10_0

curl-8_10_1

curl-8_11_0

curl-8_11_1

curl-8_12_0

curl-8_12_1

curl-8_13_0

curl-8_14_0

curl-8_14_1

curl-8_15_0

curl-8_16_0

curl-8_17_0

curl-8_18_0

curl-8_19_0

curl-8_20_0

curl-8_8_0

curl-8_9_0

curl-8_9_1

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

Database specific

source

"https://curl.se/docs/CURL-CVE-2026-9079.json"

vanir_signatures_modified

"2026-06-24T14:05:45Z"

vanir_signatures

[
    {
        "target": {
            "file": "lib/setopt.c",
            "function": "setopt_cptr_proxy"
        },
        "id": "CURL-CVE-2026-9079-a6e1475f",
        "source": "https://github.com/curl/curl.git/commit/88c7e16cceec816a2df45c899d49b1e85513f193",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 3298.0,
            "function_hash": "168585028151243835991960072474819965478"
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/setopt.c"
        },
        "id": "CURL-CVE-2026-9079-befc3d48",
        "source": "https://github.com/curl/curl.git/commit/88c7e16cceec816a2df45c899d49b1e85513f193",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "201907121624263517412055040846016692525",
                "130093980200049809120171674846457167074",
                "58013635168143467067474374538820063815",
                "276288106112898693284983216203465450996",
                "43324181074524053230508296889915600609",
                "229180499800345167080719869611143086925",
                "229085348540286290754432530392328657402",
                "174235609601289511659669647822260596764",
                "326018910786740246118855664220576875499",
                "131736690723632290894190285806675464880",
                "329386817036569852960206217203634067544",
                "290360746431318158190314481670118614844",
                "100981296658875490485601069770513651939"
            ]
        },
        "signature_version": "v1"
    }
]