CVE-2026-6429: When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to…

CVE-2026-4873 curl vulnerabilities Title: curl vulnerabilities Summary: curl could be made to expose sensitive information over the network. It was discovered that curl incorrectly reused non-TLS connections when TLS was required in some STARTTLS configurations. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-4873) It was discovered that curl incorrectly reused certain HTTP Negotiate connections. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-5545) It was discovered that curl incorrectly reused certain SMB connections. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2026-5773) It was discovered that curl could leak proxy credentials when handling redirects in some configurations. A remote attacke

CVE-2026-6429 [MEDIUM] CWE-201 curl: libcurl: Credential leak via reused proxy connection during HTTP redirects curl: libcurl: Credential leak via reused proxy connection during HTTP redirects A flaw was found in libcurl. When configured to use a .netrc file for credentials and follow HTTP redirects, libcurl can inadvertently send the password from the initial connection to the redirected host. This sensitive information disclosure occurs when both the original and redirect URLs use clear text HTTP, are performed over the same HTTP proxy, and the same connection is reused. This vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), could allow an attacker to obtain user credentials. Statement: Moderate: A flaw in libcurl could lead to credential leakage. This issue occurs when libcurl is configured to use a `.netrc` file for credentials and follows H

CVE-2026-6429 [MEDIUM] GHSA-2pvc-5qw9-h3ph: When asked to both use a ` When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

CVE-2026-6429 [MEDIUM] CVE-2026-6429 curl: libcurl: Credential leak via reused proxy connection during HTTP redirects CVE-2026-6429 curl: libcurl: Credential leak via reused proxy connection during HTTP redirects A flaw was found in libcurl. When configured to use a .netrc file for credentials and follow HTTP redirects, libcurl can inadvertently send the password from the initial connection to the redirected host. This sensitive information disclosure occurs when both the original and redirect URLs use clear text HTTP, are performed over the same HTTP proxy, and the same connection is reused. This vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), could allow an attacker to obtain user credentials.