CVE-2026-12064

Source
https://cve.org/CVERecord?id=CVE-2026-12064
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12064.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-12064
Aliases
Downstream
Related
Published
2026-07-03T06:13:55.302Z
Modified
2026-07-11T18:29:49.226577973Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
proto-default skips SSH verification
Details

When a user invokes curl using a schemeless URL combined with --proto-default sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPTSSHHOSTPUBLICKEYSHA256 and CURLOPTSSHKNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPTDEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "8.20.0"
                },
                {
                    "last_affected": "8.20.0"
                },
                {
                    "introduced": "8.19.0"
                },
                {
                    "last_affected": "8.19.0"
                },
                {
                    "introduced": "8.18.0"
                },
                {
                    "last_affected": "8.18.0"
                },
                {
                    "introduced": "8.17.0"
                },
                {
                    "last_affected": "8.17.0"
                },
                {
                    "introduced": "8.16.0"
                },
                {
                    "last_affected": "8.16.0"
                },
                {
                    "introduced": "8.15.0"
                },
                {
                    "last_affected": "8.15.0"
                },
                {
                    "introduced": "8.14.1"
                },
                {
                    "last_affected": "8.14.1"
                },
                {
                    "introduced": "8.14.0"
                },
                {
                    "last_affected": "8.14.0"
                },
                {
                    "introduced": "8.13.0"
                },
                {
                    "last_affected": "8.13.0"
                },
                {
                    "introduced": "8.12.1"
                },
                {
                    "last_affected": "8.12.1"
                },
                {
                    "introduced": "8.12.0"
                },
                {
                    "last_affected": "8.12.0"
                },
                {
                    "introduced": "8.11.1"
                },
                {
                    "last_affected": "8.11.1"
                },
                {
                    "introduced": "8.11.0"
                },
                {
                    "last_affected": "8.11.0"
                },
                {
                    "introduced": "8.10.1"
                },
                {
                    "last_affected": "8.10.1"
                },
                {
                    "introduced": "8.10.0"
                },
                {
                    "last_affected": "8.10.0"
                },
                {
                    "introduced": "8.9.1"
                },
                {
                    "last_affected": "8.9.1"
                },
                {
                    "introduced": "8.9.0"
                },
                {
                    "last_affected": "8.9.0"
                },
                {
                    "introduced": "8.8.0"
                },
                {
                    "last_affected": "8.8.0"
                },
                {
                    "introduced": "8.7.1"
                },
                {
                    "last_affected": "8.7.1"
                },
                {
                    "introduced": "8.7.0"
                },
                {
                    "last_affected": "8.7.0"
                },
                {
                    "introduced": "8.6.0"
                },
                {
                    "last_affected": "8.6.0"
                },
                {
                    "introduced": "8.5.0"
                },
                {
                    "last_affected": "8.5.0"
                },
                {
                    "introduced": "8.4.0"
                },
                {
                    "last_affected": "8.4.0"
                },
                {
                    "introduced": "8.3.0"
                },
                {
                    "last_affected": "8.3.0"
                },
                {
                    "introduced": "8.2.1"
                },
                {
                    "last_affected": "8.2.1"
                },
                {
                    "introduced": "8.2.0"
                },
                {
                    "last_affected": "8.2.0"
                },
                {
                    "introduced": "8.1.2"
                },
                {
                    "last_affected": "8.1.2"
                },
                {
                    "introduced": "8.1.1"
                },
                {
                    "last_affected": "8.1.1"
                },
                {
                    "introduced": "8.1.0"
                },
                {
                    "last_affected": "8.1.0"
                },
                {
                    "introduced": "8.0.1"
                },
                {
                    "last_affected": "8.0.1"
                },
                {
                    "introduced": "8.0.0"
                },
                {
                    "last_affected": "8.0.0"
                },
                {
                    "introduced": "7.88.1"
                },
                {
                    "last_affected": "7.88.1"
                },
                {
                    "introduced": "7.88.0"
                },
                {
                    "last_affected": "7.88.0"
                },
                {
                    "introduced": "7.87.0"
                },
                {
                    "last_affected": "7.87.0"
                },
                {
                    "introduced": "7.86.0"
                },
                {
                    "last_affected": "7.86.0"
                },
                {
                    "introduced": "7.85.0"
                },
                {
                    "last_affected": "7.85.0"
                },
                {
                    "introduced": "7.84.0"
                },
                {
                    "last_affected": "7.84.0"
                },
                {
                    "introduced": "7.83.1"
                },
                {
                    "last_affected": "7.83.1"
                },
                {
                    "introduced": "7.83.0"
                },
                {
                    "last_affected": "7.83.0"
                },
                {
                    "introduced": "7.82.0"
                },
                {
                    "last_affected": "7.82.0"
                },
                {
                    "introduced": "7.81.0"
                },
                {
                    "last_affected": "7.81.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/12xxx/CVE-2026-12064.json",
    "cna_assigner": "curl"
}
References

Affected packages

Git / github.com/curl/curl

Affected ranges

Type
GIT
Repo
https://github.com/curl/curl
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "7.81.0"
        },
        {
            "fixed": "8.21.0"
        }
    ]
}

Affected versions

Other
curl-7_81_0
curl-7_82_0
curl-7_83_0
curl-7_83_1
curl-7_84_0
curl-7_85_0
curl-7_86_0
curl-7_87_0
curl-7_88_0
curl-7_88_1
curl-8_0_0
curl-8_0_1
curl-8_10_0
curl-8_10_1
curl-8_11_0
curl-8_11_1
curl-8_12_0
curl-8_12_1
curl-8_13_0
curl-8_14_0
curl-8_14_1
curl-8_15_0
curl-8_16_0
curl-8_17_0
curl-8_18_0
curl-8_19_0
curl-8_1_0
curl-8_1_1
curl-8_1_2
curl-8_20_0
curl-8_2_0
curl-8_2_1
curl-8_3_0
curl-8_4_0
curl-8_5_0
curl-8_6_0
curl-8_7_0
curl-8_7_1
curl-8_8_0
curl-8_9_0
curl-8_9_1
rc-8_18_0-1
rc-8_18_0-2
rc-8_18_0-3
rc-8_19_0-1
rc-8_19_0-2
rc-8_19_0-3
rc-8_20_0-1
rc-8_20_0-2
rc-8_20_0-3
rc-8_21_0-1
rc-8_21_0-2
rc-8_21_0-3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12064.json"