CVE-2026-9079

Source
https://cve.org/CVERecord?id=CVE-2026-9079
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9079.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-9079
Aliases
Downstream
Published
2026-07-03T06:16:51.127Z
Modified
2026-07-09T04:02:09.519058053Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
stale proxy password leak
Details

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "8.20.0"
                },
                {
                    "last_affected": "8.20.0"
                },
                {
                    "introduced": "8.19.0"
                },
                {
                    "last_affected": "8.19.0"
                },
                {
                    "introduced": "8.18.0"
                },
                {
                    "last_affected": "8.18.0"
                },
                {
                    "introduced": "8.17.0"
                },
                {
                    "last_affected": "8.17.0"
                },
                {
                    "introduced": "8.16.0"
                },
                {
                    "last_affected": "8.16.0"
                },
                {
                    "introduced": "8.15.0"
                },
                {
                    "last_affected": "8.15.0"
                },
                {
                    "introduced": "8.14.1"
                },
                {
                    "last_affected": "8.14.1"
                },
                {
                    "introduced": "8.14.0"
                },
                {
                    "last_affected": "8.14.0"
                },
                {
                    "introduced": "8.13.0"
                },
                {
                    "last_affected": "8.13.0"
                },
                {
                    "introduced": "8.12.1"
                },
                {
                    "last_affected": "8.12.1"
                },
                {
                    "introduced": "8.12.0"
                },
                {
                    "last_affected": "8.12.0"
                },
                {
                    "introduced": "8.11.1"
                },
                {
                    "last_affected": "8.11.1"
                },
                {
                    "introduced": "8.11.0"
                },
                {
                    "last_affected": "8.11.0"
                },
                {
                    "introduced": "8.10.1"
                },
                {
                    "last_affected": "8.10.1"
                },
                {
                    "introduced": "8.10.0"
                },
                {
                    "last_affected": "8.10.0"
                },
                {
                    "introduced": "8.9.1"
                },
                {
                    "last_affected": "8.9.1"
                },
                {
                    "introduced": "8.9.0"
                },
                {
                    "last_affected": "8.9.0"
                },
                {
                    "introduced": "8.8.0"
                },
                {
                    "last_affected": "8.8.0"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9079.json",
    "cna_assigner": "curl"
}
References

Affected packages

Git / github.com/curl/curl

Affected ranges

Type
GIT
Repo
https://github.com/curl/curl
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "8.8.0"
        },
        {
            "fixed": "8.21.0"
        }
    ]
}

Affected versions

Other
curl-8_10_0
curl-8_10_1
curl-8_11_0
curl-8_11_1
curl-8_12_0
curl-8_12_1
curl-8_13_0
curl-8_14_0
curl-8_14_1
curl-8_15_0
curl-8_16_0
curl-8_17_0
curl-8_18_0
curl-8_19_0
curl-8_20_0
curl-8_8_0
curl-8_9_0
curl-8_9_1
rc-8_18_0-1
rc-8_18_0-2
rc-8_18_0-3
rc-8_19_0-1
rc-8_19_0-2
rc-8_19_0-3
rc-8_20_0-1
rc-8_20_0-2
rc-8_20_0-3
rc-8_21_0-1
rc-8_21_0-2
rc-8_21_0-3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9079.json"