CVE-2026-7009

Source
https://cve.org/CVERecord?id=CVE-2026-7009
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7009.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7009
Aliases
Downstream
Published
2026-05-13T08:28:53.697Z
Modified
2026-07-08T08:11:37.266767223Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
OCSP stapling bypass with Apple SecTrust
Details

When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.

Database specific
{
    "cna_assigner": "curl",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "8.19.0"
                },
                {
                    "last_affected": "8.19.0"
                },
                {
                    "introduced": "8.18.0"
                },
                {
                    "last_affected": "8.18.0"
                },
                {
                    "introduced": "8.17.0"
                },
                {
                    "last_affected": "8.17.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7009.json"
}
References

Affected packages

Git / github.com/curl/curl

Affected ranges

Type
GIT
Repo
https://github.com/curl/curl
Events
Database specific
{
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "8.17.0"
        },
        {
            "fixed": "8.20.0"
        }
    ],
    "cpe": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*"
}

Affected versions

Other
curl-8_17_0
curl-8_18_0
curl-8_19_0
rc-8_18_0-1
rc-8_18_0-2
rc-8_18_0-3
rc-8_19_0-1
rc-8_19_0-2
rc-8_19_0-3
rc-8_20_0-1
rc-8_20_0-2
rc-8_20_0-3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7009.json"