CVE-2026-3784: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy…

CVE-2026-3783 [MEDIUM] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect cr

CVE-2026-3784 [MEDIUM] CWE-305 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse curl: curl: Unauthorized access due to improper HTTP proxy connection reuse curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. A flaw was found in curl. This vulnerability allows curl to wrongly reuse an existing HTTP proxy connection when performing a CONNECT request to a server, even if the new request uses different authentication credentials for the HTTP proxy. This improper connection reuse could lead to an attacker gaining unauthorized access to resources or information intended for a different user. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red

CVE-2025-0167 [LOW] curl vulnerabilities Title: curl vulnerabilities Summary: Several security issues were fixed in curl. Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784) Daniel Wade discovered that curl

CVE-2026-3784 [MEDIUM] wrong proxy connection reuse with credentials wrong proxy connection reuse with credentials Mariner: Mariner curl: curl Customer Action Required: Yes

CVE-2026-3784 [MEDIUM] CVE-2026-3784: curl - curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a se... curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 8.19.0-1) sid: resolved (fixed in 8.19.0-1) trixie: open

CVE-2026-1965 [MEDIUM] curl vulnerabilities curl vulnerabilities Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784)

CVE-2026-1965 [LOW] curl vulnerabilities curl vulnerabilities Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784) Daniel Wade discovered that curl incorrectly handled certain memory operations when doing a s

CVE-2026-3784 [MEDIUM] CVE-2026-3784: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

CVE-2026-3784 [MEDIUM] CWE-305 GHSA-5q3w-6p3j-mw6p: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

CVE-2026-3784 [MEDIUM] CVE-2026-3784 mingw-curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42] CVE-2026-3784 mingw-curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintaine

CVE-2026-3784 [MEDIUM] CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

CVE-2026-3784 [MEDIUM] CVE-2026-3784: wrong proxy connection reuse with credentials CVE-2026-3784: wrong proxy connection reuse with credentials Summary libcurl may reuse an existing HTTP proxy CONNECT tunnel without matching proxy credentials when selecting a reusable connection. In lib/url.c, url_match_proxy_use() calls proxy_info_matches() (lib/url.c:930-935 → lib/url.c:589-595), and that matcher compares proxy type, host, and port but does not compare proxy username or password. When a shared connection cache is used (CURLSH + CURL_LOCK_DATA_CONNECT), a transfer using different proxy credentials can reuse a previously authenticated tunnel. In my reproduction the proxy receives only one CONNECT request with good:good, while a second transfer configured with bad:bad succeeds through the existing tunnel without issuing a new CONNECT. This was reproduced both with seque

CVE-2026-3784 [MEDIUM] CVE-2026-3784 trustee-guest-components: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42] CVE-2026-3784 trustee-guest-components: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a curre

CVE-2026-3784 [MEDIUM] CVE-2026-3784 rpi-imager: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42] CVE-2026-3784 rpi-imager: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: This message is a reminder that Fedora Linux 42 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '42'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintaine

CVE-2026-3784 [MEDIUM] CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-43] CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-43] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: FEDORA-2026-66db242036 (curl-8.15.0-6.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2026-66db242036 --- FEDORA-2026-66db242036 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-66db242036` You can provide feedback for this update here: https://bodhi.f

CVE-2026-3784 [MEDIUM] CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42] CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42] Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. Discussion: FEDORA-2026-907bbf2a13 (curl-8.11.1-8.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2026-907bbf2a13 --- FEDORA-2026-907bbf2a13 has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-907bbf2a13` You can provide feedback for this update here: https://bodhi.f

CVE-2025-15224 [LOW] CVE-2025-15224 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-15224 : cURL vulnerability analysis and mitigation When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. Source : NVD ## 3.1 Score Published January 8, 2026 Severity LOW CNA Score 3.1 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 24.4 Exploitation Probability (EPSS) 0.1 Affected packages and libraries curl libcurl4 Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity LOW No Fix Added at: Jan 21, 2026 Alpine 3.22, 3.23 Severity LOW No Fix Added at: Jan 28, 2026

CVE-2025-15079 [MEDIUM] CVE-2025-15079 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-15079 : cURL vulnerability analysis and mitigation When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file. Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 10.3 Exploitation Probability (EPSS) N/A Affected packages and libraries curl-debuginfo libcurl-devel Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MED

CVE-2025-14819 [MEDIUM] CVE-2025-14819 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14819 : cURL vulnerability analysis and mitigation CURLSSLOPT_NO_PARTIALCHAIN Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 13.9 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl-minimal-debuginfo libcurl-devel-doc Sources Alpine 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDIUM Has Fix Added at: Jan 21, 2026 Alpine 3.22, 3.23 Severity MEDIUM Has Fix Added at: Jan 28, 2026 Alpine edge Severity MEDIUM Has Fix Added at: Jan 08, 2026 Container-Optimized OS Severity MEDIUM Has Fix Added at: Mar 03, 2026 Debian 1

CVE-2026-3805 [MEDIUM] CVE-2026-3805 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3805 : cURL vulnerability analysis and mitigation When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory. Source : NVD ## 7.5 Score Published March 11, 2026 Severity HIGH CNA Score 7.5 Affected Technologies cURL Libcurl Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 11.7 Exploitation Probability (EPSS) N/A Affected packages and libraries rust-debugger-common rust-src Sources Alpine 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH Has Fix Added at: Mar 13, 2026 Debian 13 Severity MEDIUM No Fix Added at: Mar 12, 2026 Debian 14 Severity HIGH Has Fix Added at: Mar 12, 2026 Homebrew Severity HI

CVE-2025-14524 [MEDIUM] CVE-2025-14524 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14524 : cURL vulnerability analysis and mitigation When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host. Source : NVD ## 5.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 7.2 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl-devel-32bit curl-zsh-completion Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21 Severity MEDI

CVE-2026-3784 [MEDIUM] CVE-2026-3784 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3784 : cURL vulnerability analysis and mitigation curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. Source : NVD ## 6.5 Score Published March 11, 2026 Severity MEDIUM CNA Score 6.5 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 3.1 Exploitation Probability (EPSS) N/A Affected packages and libraries libcurl rust-doc Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Added at: Mar 13, 20

CVE-2026-1965 [MEDIUM] CVE-2026-1965 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-1965 : cURL vulnerability analysis and mitigation libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests , contrary to how HTTP is designed to work. user1:password1 user2:password2 CURLOPT_HTTPAUTH CURLOPT_FRESH_CONNECT C

CVE-2025-13034 [MEDIUM] CVE-2025-13034 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-13034 : cURL vulnerability analysis and mitigation CURLOPT_PINNEDPUBLICKEY --pinnedpubkey This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification. Source : NVD ## 5.9 Score Published January 8, 2026 Severity MEDIUM CNA Score 5.9 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 1.2 Exploitation Probability (EPSS) N/A Affected packages and libraries curl curl

CVE-2025-11563 [MEDIUM] CVE-2025-11563 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-11563 : cURL vulnerability analysis and mitigation ## Overview CVE-2025-11563 is a path traversal vulnerability affecting wcurl, discovered on October 6, 2025, and publicly disclosed on November 4, 2025. The vulnerability affects wcurl versions shipped with curl 8.14.0 to 8.16.0 and standalone wcurl versions from 2024.12.08 to 2025.09.27. This security flaw allows URLs containing percent-encoded slashes (/ or ) to trick wcurl into saving output files outside of the current directory without explicit user permission ( Curl Advisory ). ## Technical details The vulnerability is classified as CWE-35: Path Traversal with a Moderate severity rating. The issue stems from wcurl's handling of percent-encoded slashes in URLs, where the tool incorrectly processes URLs containing p

CVE-2025-14017 [MEDIUM] CVE-2025-14017 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2025-14017 : cURL vulnerability analysis and mitigation When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers. Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well. Source : NVD ## 6.3 Score Published January 8, 2026 Severity MEDIUM CNA Score 6.3 Affected Technologies cURL Libcurl Has Public Exploit No Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 0.6 Exploitation Probability (EPSS) N/A Affected packages and libraries snphost cpe:2.3:a:haxx:curl Sources Alp

CVE-2026-3783 [MEDIUM] CVE-2026-3783 Impact, Exploitability, and Mitigation Steps | Wiz ## CVE-2026-3783 : cURL vulnerability analysis and mitigation When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. machine default Source : NVD ## 5.3 Score Published March 11, 2026 Severity MEDIUM CNA Score 5.3 Affected Technologies cURL Alma Linux Has Public Exploit Yes Has CISA KEV Exploit No CISA KEV Release Date N/A CISA KEV Due Date N/A Exploitation Probability Percentile (EPSS) 3.5 Exploitation Probability (EPSS) N/A Affected packages and libraries s390utils-mon_statd trustee-guest-components Sources Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM Has Fix Ad