CVE-2026-7009
published 2026-05-13CVE-2026-7009: When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it…
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.01%
2.5th percentile
When curl is told to use the Certificate Status Request TLS extension, often
referred to as *OCSP stapling*, to verify that the server certificate is
valid, it fails to detect OCSP problems and instead wrongly consider the
response as fine.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| curl | curl | 8.17.0 – 8.17.0 | — |
| curl | curl | 8.18.0 – 8.18.0 | — |
| curl | curl | 8.19.0 – 8.19.0 | — |
| haxx | curl | >= 8.17.0 < 8.20.0 | 8.20.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v355-7mqg-qj9c: When curl is told to use the Certificate Status Request TLS extension, often
referred to as *OCSP stapling*, to verify that the server certificate is
ghsa_unreviewed·2026-05-13
CVE-2026-7009 [MEDIUM] CWE-295 GHSA-v355-7mqg-qj9c: When curl is told to use the Certificate Status Request TLS extension, often
referred to as *OCSP stapling*, to verify that the server certificate is
When curl is told to use the Certificate Status Request TLS extension, often
referred to as *OCSP stapling*, to verify that the server certificate is
valid, it fails to detect OCSP problems and instead wrongly consider the
response as fine.
VulDB
cURL up to 8.19.0 OCSP Stapling certificate validation (51905671e07f087e28e57 / Nessus ID 311424)
vuldb·2026-05-01
CVE-2026-7009 [LOW] cURL up to 8.19.0 OCSP Stapling certificate validation (51905671e07f087e28e57 / Nessus ID 311424)
A vulnerability was found in cURL up to 8.19.0. It has been classified as critical. This vulnerability affects unknown code of the component OCSP Stapling Handler. Performing a manipulation results in improper certificate validation.
This vulnerability is cataloged as CVE-2026-7009. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is recommended.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-13
Published