When asking curl to use a .netrc file to find credentials and at the same
time specifying a URL with a username(without a password), like
https://user@example.com/, curl could wrongly get and use the password for
another user set in the .netrc file for that host if such a one exists and
there is no match for the specified user.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "8.20.0"
},
{
"last_affected": "8.20.0"
},
{
"introduced": "8.19.0"
},
{
"last_affected": "8.19.0"
},
{
"introduced": "8.18.0"
},
{
"last_affected": "8.18.0"
},
{
"introduced": "8.17.0"
},
{
"last_affected": "8.17.0"
},
{
"introduced": "8.16.0"
},
{
"last_affected": "8.16.0"
},
{
"introduced": "8.15.0"
},
{
"last_affected": "8.15.0"
},
{
"introduced": "8.14.1"
},
{
"last_affected": "8.14.1"
},
{
"introduced": "8.14.0"
},
{
"last_affected": "8.14.0"
},
{
"introduced": "8.13.0"
},
{
"last_affected": "8.13.0"
},
{
"introduced": "8.12.1"
},
{
"last_affected": "8.12.1"
},
{
"introduced": "8.12.0"
},
{
"last_affected": "8.12.0"
},
{
"introduced": "8.11.1"
},
{
"last_affected": "8.11.1"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8926.json",
"cna_assigner": "curl"
}