CVE-2026-1965
published 2026-03-11CVE-2026-1965: libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of…
PriorityP341medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.07%
22.4th percentile
libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criterion must first be met. Due to a
logical error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials. One underlying reason being that
Negotiate sometimes authenticates *connections* and not *requests*, contrary
to how HTTP is designed to work.
An application that allows Negotiate authentication to a server (that responds
wanting Negotiate) with `user1:password1` and then does another operation to
the same server also using Negotiate but with `user2:password2` (while the
previous connection is still alive) - the second request wrongly reused the
same connection and since it then sees that the Negotiate negotiation is
already made, it just sends the request over that connection thinking it uses
the user2 credentials when it is in fact still using the connection
authenticated for user1...
The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.
Applications can disable libcurl's reuse of connections and thus mitigate this
problem, by using one of the following libcurl options to alter how
connections are or are not reused: `CURLOPT_FRESH_CONNECT`,
`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the
curl_multi API).
Affected
189 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 7.10.6 – 7.10.6 | — |
| curl | curl | 7.10.7 – 7.10.7 | — |
| curl | curl | 7.10.8 – 7.10.8 | — |
| curl | curl | 7.11.0 – 7.11.0 | — |
| curl | curl | 7.11.1 – 7.11.1 | — |
| curl | curl | 7.11.2 – 7.11.2 | — |
| curl | curl | 7.12.0 – 7.12.0 | — |
| curl | curl | 7.12.1 – 7.12.1 | — |
| curl | curl | 7.12.2 – 7.12.2 | — |
| curl | curl | 7.12.3 – 7.12.3 | — |
| curl | curl | 7.13.0 – 7.13.0 | — |
| curl | curl | 7.13.1 – 7.13.1 | — |
| curl | curl | 7.13.2 – 7.13.2 | — |
| curl | curl | 7.14.0 – 7.14.0 | — |
| curl | curl | 7.14.1 – 7.14.1 | — |
| curl | curl | 7.15.0 – 7.15.0 | — |
| curl | curl | 7.15.1 – 7.15.1 | — |
| curl | curl | 7.15.2 – 7.15.2 | — |
| curl | curl | 7.15.3 – 7.15.3 | — |
| curl | curl | 7.15.4 – 7.15.4 | — |
| curl | curl | 7.15.5 – 7.15.5 | — |
| curl | curl | 7.16.0 – 7.16.0 | — |
| curl | curl | 7.16.1 – 7.16.1 | — |
| curl | curl | 7.16.2 – 7.16.2 | — |
| curl | curl | 7.16.3 – 7.16.3 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-16·CVSS 6.5
CVE-2026-3783 [MEDIUM] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Zhicheng Chen discovered that curl could incorrectly reuse the wrong
connection for Negotiate-authenticated HTTP or HTTPS requests. This could
result in the use of credentials from a different connection, contrary to
expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965)
It was discovered that curl incorrectly leaked OAuth2 bearer tokens when
following a redirect. This could result in tokens being sent to the wrong
host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS.
(CVE-2026-3783)
Muhamad Arga Reksapati discovered that curl incorrectly reused existing
HTTP proxy connections even if the request used different credentials. This
could result in the use of incorrect cr
Red Hat
curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication
vendor_redhat·2026-03-11·CVSS 6.5
CVE-2026-1965 [MEDIUM] CWE-303 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication
curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication
libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criterion must first be met. Due to a
logical error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials. One underlying reason being that
Negotiate sometimes authenticates *connections* and not *requests*, contrary
to how HTTP is designed to work.
An application that allows Negotiate auth
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-03-11·CVSS 3.4
CVE-2025-0167 [LOW] curl vulnerabilities
Title: curl vulnerabilities
Summary: Several security issues were fixed in curl.
Zhicheng Chen discovered that curl could incorrectly reuse the wrong
connection for Negotiate-authenticated HTTP or HTTPS requests. This could
result in the use of credentials from a different connection, contrary to
expectations. (CVE-2026-1965)
It was discovered that curl incorrectly leaked OAuth2 bearer tokens when
following a redirect. This could result in tokens being sent to the wrong
host, contrary to expectations. (CVE-2026-3783)
Muhamad Arga Reksapati discovered that curl incorrectly reused existing
HTTP proxy connections even if the request used different credentials. This
could result in the use of incorrect credentials, contrary to expectations.
(CVE-2026-3784)
Daniel Wade discovered that curl
Microsoft
bad reuse of HTTP Negotiate connection
vendor_msrc·2026-03-10·CVSS 6.5
CVE-2026-1965 [MEDIUM] bad reuse of HTTP Negotiate connection
bad reuse of HTTP Negotiate connection
Mariner: Mariner
curl: curl
Customer Action Required: Yes
Debian
CVE-2026-1965: curl - libcurl can in some circumstances reuse the wrong connection when asked to do an...
vendor_debian·2026·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965: curl - libcurl can in some circumstances reuse the wrong connection when asked to do an...
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does anoth
OSV
curl vulnerabilities
osv·2026-03-16·CVSS 6.5
CVE-2026-1965 [MEDIUM] curl vulnerabilities
curl vulnerabilities
Zhicheng Chen discovered that curl could incorrectly reuse the wrong
connection for Negotiate-authenticated HTTP or HTTPS requests. This could
result in the use of credentials from a different connection, contrary to
expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965)
It was discovered that curl incorrectly leaked OAuth2 bearer tokens when
following a redirect. This could result in tokens being sent to the wrong
host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS.
(CVE-2026-3783)
Muhamad Arga Reksapati discovered that curl incorrectly reused existing
HTTP proxy connections even if the request used different credentials. This
could result in the use of incorrect credentials, contrary to expectations.
(CVE-2026-3784)
GHSA
GHSA-q9qg-g2c3-3hr2: libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request
ghsa_unreviewed·2026-03-11
CVE-2026-1965 [MEDIUM] CWE-305 GHSA-q9qg-g2c3-3hr2: libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request
libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criterion must first be met. Due to a
logical error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials. One underlying reason being that
Negotiate sometimes authenticates *connections* and not *requests*, contrary
to how HTTP is designed to work.
An application that allows Negotiate authentication to a server (that responds
wanting Negotiate) with `user1:password1` and then does an
OSV
CVE-2026-1965: libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request
osv·2026-03-11·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965: libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request
libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not *requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with `user1:password1` and then does anoth
OSV
curl vulnerabilities
osv·2026-03-11·CVSS 3.4
CVE-2026-1965 [LOW] curl vulnerabilities
curl vulnerabilities
Zhicheng Chen discovered that curl could incorrectly reuse the wrong
connection for Negotiate-authenticated HTTP or HTTPS requests. This could
result in the use of credentials from a different connection, contrary to
expectations. (CVE-2026-1965)
It was discovered that curl incorrectly leaked OAuth2 bearer tokens when
following a redirect. This could result in tokens being sent to the wrong
host, contrary to expectations. (CVE-2026-3783)
Muhamad Arga Reksapati discovered that curl incorrectly reused existing
HTTP proxy connections even if the request used different credentials. This
could result in the use of incorrect credentials, contrary to expectations.
(CVE-2026-3784)
Daniel Wade discovered that curl incorrectly handled certain memory
operations when doing a s
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-15224 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.1
CVE-2025-15224 [LOW] CVE-2025-15224 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15224 :
cURL vulnerability analysis and mitigation
When doing SSH-based transfers using either SCP or SFTP, and asked to do
public key authentication, curl would wrongly still ask and authenticate using
a locally running SSH agent.
Source : NVD
## 3.1
Score
Published January 8, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
cURL
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
curl
libcurl4
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity LOW No Fix Added at: Jan 21, 2026
Alpine 3.22, 3.23 Severity LOW No Fix Added at: Jan 28, 2026
Wiz
CVE-2025-15079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15079 [MEDIUM] CVE-2025-15079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15079 :
cURL vulnerability analysis and mitigation
When doing SSH-based transfers using either SCP or SFTP, and setting the
known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the
libssh global known_hosts file.
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
cURL
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
curl-debuginfo
libcurl-devel
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MED
Wiz
CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14819 [MEDIUM] CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14819 :
cURL vulnerability analysis and mitigation
CURLSSLOPT_NO_PARTIALCHAIN
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
cURL
Libcurl
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
libcurl-minimal-debuginfo
libcurl-devel-doc
Sources
Alpine 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDIUM Has Fix Added at: Jan 21, 2026
Alpine 3.22, 3.23 Severity MEDIUM Has Fix Added at: Jan 28, 2026
Alpine edge Severity MEDIUM Has Fix Added at: Jan 08, 2026
Container-Optimized OS Severity MEDIUM Has Fix Added at: Mar 03, 2026
Debian 1
Wiz
CVE-2026-3805 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2026-3805 [MEDIUM] CVE-2026-3805 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3805 :
cURL vulnerability analysis and mitigation
When doing a second SMB request to the same host again, curl would wrongly use
a data pointer pointing into already freed memory.
Source : NVD
## 7.5
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
cURL
Libcurl
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rust-debugger-common
rust-src
Sources
Alpine 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH Has Fix Added at: Mar 13, 2026
Debian 13 Severity MEDIUM No Fix Added at: Mar 12, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 12, 2026
Homebrew Severity HI
Wiz
CVE-2025-14524 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14524 [MEDIUM] CVE-2025-14524 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14524 :
cURL vulnerability analysis and mitigation
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP,
POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new
target host.
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
cURL
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
libcurl-devel-32bit
curl-zsh-completion
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDI
Wiz
CVE-2026-3784 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-3784 [MEDIUM] CVE-2026-3784 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3784 :
cURL vulnerability analysis and mitigation
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
server, even if the new request uses different credentials for the HTTP proxy.
The proper behavior is to create or use a separate connection.
Source : NVD
## 6.5
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
cURL
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
libcurl
rust-doc
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Added at: Mar 13, 20
Wiz
CVE-2026-1965 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1965 :
cURL vulnerability analysis and mitigation
libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criterion must first be met. Due to a
logical error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials. One underlying reason being that
Negotiate sometimes authenticates connections and not requests , contrary
to how HTTP is designed to work.
user1:password1
user2:password2
CURLOPT_HTTPAUTH
CURLOPT_FRESH_CONNECT
C
Wiz
CVE-2025-13034 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-13034 [MEDIUM] CVE-2025-13034 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13034 :
cURL vulnerability analysis and mitigation
CURLOPT_PINNEDPUBLICKEY
--pinnedpubkey
This check was skipped in a certain condition that would then make curl allow
the connection without performing the proper check, thus not noticing a
possible impostor. To skip this check, the connection had to be done with QUIC
with ngtcp2 built to use GnuTLS and the user had to explicitly disable the
standard certificate verification.
Source : NVD
## 5.9
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
cURL
Libcurl
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
curl
curl
Wiz
CVE-2025-11563 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2025-11563 [MEDIUM] CVE-2025-11563 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11563 :
cURL vulnerability analysis and mitigation
## Overview
CVE-2025-11563 is a path traversal vulnerability affecting wcurl, discovered on October 6, 2025, and publicly disclosed on November 4, 2025. The vulnerability affects wcurl versions shipped with curl 8.14.0 to 8.16.0 and standalone wcurl versions from 2024.12.08 to 2025.09.27. This security flaw allows URLs containing percent-encoded slashes (/ or ) to trick wcurl into saving output files outside of the current directory without explicit user permission ( Curl Advisory ).
## Technical details
The vulnerability is classified as CWE-35: Path Traversal with a Moderate severity rating. The issue stems from wcurl's handling of percent-encoded slashes in URLs, where the tool incorrectly processes URLs containing p
Wiz
CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-14017 [MEDIUM] CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14017 :
cURL vulnerability analysis and mitigation
When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl,
changing TLS options in one thread would inadvertently change them globally
and therefore possibly also affect other concurrently setup transfers.
Disabling certificate verification for a specific transfer could
unintentionally disable the feature for other threads as well.
Source : NVD
## 6.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
cURL
Libcurl
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
snphost
cpe:2.3:a:haxx:curl
Sources
Alp
Wiz
CVE-2026-3783 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-3783 [MEDIUM] CVE-2026-3783 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3783 :
cURL vulnerability analysis and mitigation
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a redirect to a second URL, curl could leak that token to the second
hostname under some circumstances.
machine
default
Source : NVD
## 5.3
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
cURL
Alma Linux
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
s390utils-mon_statd
trustee-guest-components
Sources
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Ad
Bugzilla
CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-43]
bugzilla·2026-03-11·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-43]
CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-43]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-66db242036 (curl-8.15.0-6.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-66db242036
---
FEDORA-2026-66db242036 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-66db242036`
You can provide feedback for this update
Bugzilla
CVE-2026-1965 mingw-curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
bugzilla·2026-03-11·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965 mingw-curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
CVE-2026-1965 mingw-curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in
Bugzilla
CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
bugzilla·2026-03-11·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
FEDORA-2026-907bbf2a13 (curl-8.11.1-8.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-907bbf2a13
---
FEDORA-2026-907bbf2a13 has been pushed to the Fedora 42 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-907bbf2a13`
You can provide feedback for this update
Bugzilla
CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication
bugzilla·2026-03-11·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication
CVE-2026-1965 curl: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication
libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criterion must first be met. Due to a
logical error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials. One underlying reason being that
Negotiate sometimes authenticates *connections* and not *requests*, contrary
to how HTTP is designed to work.
An application that allo
Bugzilla
CVE-2026-1965 trustee-guest-components: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
bugzilla·2026-03-11·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965 trustee-guest-components: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
CVE-2026-1965 trustee-guest-components: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
pla
Bugzilla
CVE-2026-1965 rpi-imager: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
bugzilla·2026-03-11·CVSS 6.5
CVE-2026-1965 [MEDIUM] CVE-2026-1965 rpi-imager: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
CVE-2026-1965 rpi-imager: curl: Authentication bypass due to incorrect connection reuse with Negotiate authentication [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in
2026-03-11
Published