CVE-2026-5545
published 2026-05-13CVE-2026-5545: libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both…
PriorityP341medium6.5CVSS 3.1
AVNACHPRNUINSUCLIHAN
EPSS
0.04%
12.2th percentile
libcurl might in some circumstances reuse the wrong connection when asked to
do an authenticated HTTP(S) request after a Negotiate-authenticated one, when
both use the same host.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criteria must be met. Due to a logical
error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials.
An application that first uses Negotiate authentication to a server with
`user1:password1` and then does another operation to the same server asking
for any authentication method but for `user2:password2` (while the previous
connection is still alive) - the second request gets confused and wrongly
reuses the same connection and sends the new request over that connection
thinking it uses a mix of user1's and user2's credentials when it is in fact
still using the connection authenticated for user1...
Affected
192 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| build-of-trustee | trustee-rhel9 | — | — |
| code.vikunja.io | api | >= 0 < 2.3.0 | 2.3.0 |
| confidential-compute-attestation-tech-preview | trustee-rhel9 | — | — |
| confidential-containers | trustee | — | — |
| curl | curl | 7.10.6 – 7.10.6 | — |
| curl | curl | 7.10.7 – 7.10.7 | — |
| curl | curl | 7.10.8 – 7.10.8 | — |
| curl | curl | 7.11.0 – 7.11.0 | — |
| curl | curl | 7.11.1 – 7.11.1 | — |
| curl | curl | 7.11.2 – 7.11.2 | — |
| curl | curl | 7.12.0 – 7.12.0 | — |
| curl | curl | 7.12.1 – 7.12.1 | — |
| curl | curl | 7.12.2 – 7.12.2 | — |
| curl | curl | 7.12.3 – 7.12.3 | — |
| curl | curl | 7.13.0 – 7.13.0 | — |
| curl | curl | 7.13.1 – 7.13.1 | — |
| curl | curl | 7.13.2 – 7.13.2 | — |
| curl | curl | 7.14.0 – 7.14.0 | — |
| curl | curl | 7.14.1 – 7.14.1 | — |
| curl | curl | 7.15.0 – 7.15.0 | — |
| curl | curl | 7.15.1 – 7.15.1 | — |
| curl | curl | 7.15.2 – 7.15.2 | — |
| curl | curl | 7.15.3 – 7.15.3 | — |
| curl | curl | 7.15.4 – 7.15.4 | — |
| curl | curl | 7.15.5 – 7.15.5 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
curl vulnerabilities
vendor_ubuntu·2026-05-04
CVE-2026-4873 curl vulnerabilities
Title: curl vulnerabilities
Summary: curl could be made to expose sensitive information over the network.
It was discovered that curl incorrectly reused non-TLS connections when
TLS was required in some STARTTLS configurations. A remote attacker could
possibly use this issue to obtain sensitive information. (CVE-2026-4873)
It was discovered that curl incorrectly reused certain HTTP Negotiate
connections. A remote attacker could possibly use this issue to obtain
sensitive information. (CVE-2026-5545)
It was discovered that curl incorrectly reused certain SMB connections. A
remote attacker could possibly use this issue to obtain sensitive
information. (CVE-2026-5773)
It was discovered that curl could leak proxy credentials when handling
redirects in some configurations. A remote attacke
Red Hat
curl: libcurl: Authentication bypass due to incorrect HTTP Negotiate connection reuse
vendor_redhat·2026-04-29·CVSS 6.5
CVE-2026-5545 [MEDIUM] CWE-488 curl: libcurl: Authentication bypass due to incorrect HTTP Negotiate connection reuse
curl: libcurl: Authentication bypass due to incorrect HTTP Negotiate connection reuse
A flaw was found in libcurl. An application using libcurl that performs an authenticated HTTP(S) request after a Negotiate-authenticated one to the same host may incorrectly reuse the previous connection. This authentication bypass vulnerability allows the second request to be sent over a connection authenticated with different credentials, potentially leading to unauthorized access or information disclosure.
Statement: Moderate: A flaw in libcurl allows for the wrong reuse of HTTP Negotiate authenticated connections. This can occur when an application makes an authenticated HTTP(S) request after a Negotiate-authenticated one to the same host, potentially leading to a request being sent over a connectio
GHSA
GHSA-6g7g-56fm-f8mp: libcurl might in some circumstances reuse the wrong connection when asked to
do an authenticated HTTP(S) request after a Negotiate-authenticated one,
ghsa_unreviewed·2026-05-13
CVE-2026-5545 [MEDIUM] CWE-613 GHSA-6g7g-56fm-f8mp: libcurl might in some circumstances reuse the wrong connection when asked to
do an authenticated HTTP(S) request after a Negotiate-authenticated one,
libcurl might in some circumstances reuse the wrong connection when asked to
do an authenticated HTTP(S) request after a Negotiate-authenticated one, when
both use the same host.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criteria must be met. Due to a logical
error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials.
An application that first uses Negotiate authentication to a server with
`user1:password1` and then does another operation to the same server asking
for any authentication method but for `user2:password2` (while the previous
connection
GHSA
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
ghsa·2026-04-10
CVE-2026-35601 [MEDIUM] CWE-93 Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
## Summary
The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as `ATTACH`, `VALARM`, or `ORGANIZER`.
## Details
The `ParseTodos` function at `pkg/caldav/caldav.go:146` concatenates the task summary directly into the iCalendar output:
```go
SUMMARY:` + t.Summary + getCaldavColor(t.Color)
```
RFC 5545 Section 3.3.11 requires TEXT property values to escape newlines as `\n`, semicolons as `\;`, commas as `\,`, and backslashes as `\\`. None of these escaping rules are applied to `Summar
No detection rules found.
No public exploits indexed.
2026-05-13
Published