CURL-CVE-2026-9546

See a problem?
Please try reporting it to the source first.

Source

https://curl.se/docs/CVE-2026-9546.html

Import Source

https://curl.se/docs/CURL-CVE-2026-9546.json

JSON Data

https://api.osv.dev/v1/vulns/CURL-CVE-2026-9546

Aliases

CVE-2026-9546

Published

2026-06-24T08:00:00Z

Modified

2026-06-24T08:07:05.101624Z

Summary

sending old referer

Details

A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPT_REFERER suppresses the header, the option failed to clear the internal state. As a result, the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.

Database specific

{
    "package": "curl",
    "URL": "https://curl.se/docs/CVE-2026-9546.json",
    "last_affected": "8.20.0",
    "issue": "https://hackerone.com/reports/3754343",
    "affects": "lib",
    "severity": "Low",
    "www": "https://curl.se/docs/CVE-2026-9546.html",
    "CWE": {
        "desc": "Exposure of Sensitive Information to an Unauthorized Actor",
        "id": "CWE-200"
    }
}

References

Credits

- renjian on hackerone - FINDER
- Daniel Stenberg - REMEDIATION_DEVELOPER

Affected packages

Git / github.com/curl/curl.git

Affected ranges

Type: SEMVER
Events: Introduced

8.18.0

Fixed

8.21.0

Type: GIT
Repo: https://github.com/curl/curl.git
Events: Introduced

2cb868242dc2ac9cd52ee64987ef51d5964a56f9

Fixed

862e8a74a84478d82973471b4f49dc2746c1780e

Affected versions

8.*

8.18.0

8.19.0

8.20.0

Other

curl-8_18_0

curl-8_19_0

curl-8_20_0

rc-8_18_0-1

rc-8_18_0-2

rc-8_18_0-3

rc-8_19_0-1

rc-8_19_0-2

rc-8_19_0-3

rc-8_20_0-1

rc-8_20_0-2

rc-8_20_0-3

Database specific

source

"https://curl.se/docs/CURL-CVE-2026-9546.json"

vanir_signatures_modified

"2026-06-24T08:07:05Z"

vanir_signatures

[
    {
        "target": {
            "file": "lib/transfer.c"
        },
        "id": "CURL-CVE-2026-9546-7ba9ca43",
        "source": "https://github.com/curl/curl.git/commit/862e8a74a84478d82973471b4f49dc2746c1780e",
        "signature_type": "Line",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "329802710635362475633966257142929289229",
                "59722172210655117825890418870938329781",
                "183831522990858182837473479172905867047",
                "304554302798540308152858876043779062238"
            ]
        },
        "signature_version": "v1"
    },
    {
        "target": {
            "file": "lib/transfer.c",
            "function": "Curl_pretransfer"
        },
        "id": "CURL-CVE-2026-9546-93bc1aa3",
        "source": "https://github.com/curl/curl.git/commit/862e8a74a84478d82973471b4f49dc2746c1780e",
        "signature_type": "Function",
        "deprecated": false,
        "digest": {
            "length": 3790.0,
            "function_hash": "192731219037552860576466850254657292841"
        },
        "signature_version": "v1"
    }
]