CVE-2026-3784 — Authentication Bypass by Primary Weakness in Curl

CWE-305 — Authentication Bypass by Primary Weakness15 documents11 sources

Severity

6.5MEDIUMNVD

EPSS

0.0%

top 96.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Haxx Curl Curl

Timeline

PublishedMar 11

Latest updateMar 16

Description

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶NVDhaxx/curl7.7 — 8.18.0

▶Debianhaxx/curl< 8.19.0-1

▶CVEListV5curl/curl8.18.0 — 8.18.0+190

Patches

Patch: curl.se ↗

🔴Vulnerability Details

OSV

curl vulnerabilities↗2026-03-16

▶

CVEList

wrong proxy connection reuse with credentials↗2026-03-11

▶

OSV

CVE-2026-3784: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP↗2026-03-11

▶

GHSA

GHSA-5q3w-6p3j-mw6p: curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP↗2026-03-11

▶

OSV

curl vulnerabilities↗2026-03-11

▶

📋Vendor Advisories

Ubuntu

curl vulnerabilities↗2026-03-16

▶

Red Hat

curl: curl: Unauthorized access due to improper HTTP proxy connection reuse↗2026-03-11

▶

Ubuntu

curl vulnerabilities↗2026-03-11

▶

Microsoft

wrong proxy connection reuse with credentials↗2026-03-10

▶

Debian

CVE-2026-3784: curl - curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a se...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-3784 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

HackerOne

CVE-2026-3784: wrong proxy connection reuse with credentials↗2026-03-11

▶

Bugzilla

CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-43]↗2026-03-11

▶

Bugzilla

CVE-2026-3784 curl: curl: Unauthorized access due to improper HTTP proxy connection reuse [fedora-42]↗2026-03-11

▶