HomeDefault status
unaffected
8.19.0 (semver)
affected
8.18.0 (semver)
affected
8.17.0 (semver)
affected
8.16.0 (semver)
affected
8.15.0 (semver)
affected
8.14.1 (semver)
affected
8.14.0 (semver)
affected
8.13.0 (semver)
affected
8.12.1 (semver)
affected
8.12.0 (semver)
affected
8.11.1 (semver)
affected
8.11.0 (semver)
affected
8.10.1 (semver)
affected
8.10.0 (semver)
affected
8.9.1 (semver)
affected
8.9.0 (semver)
affected
8.8.0 (semver)
affected
8.7.1 (semver)
affected
8.7.0 (semver)
affected
8.6.0 (semver)
affected
8.5.0 (semver)
affected
8.4.0 (semver)
affected
8.3.0 (semver)
affected
8.2.1 (semver)
affected
8.2.0 (semver)
affected
8.1.2 (semver)
affected
8.1.1 (semver)
affected
8.1.0 (semver)
affected
8.0.1 (semver)
affected
8.0.0 (semver)
affected
7.88.1 (semver)
affected
7.88.0 (semver)
affected
7.87.0 (semver)
affected
7.86.0 (semver)
affected
7.85.0 (semver)
affected
7.84.0 (semver)
affected
7.83.1 (semver)
affected
7.83.0 (semver)
affected
7.82.0 (semver)
affected
7.81.0 (semver)
affected
7.80.0 (semver)
affected
7.79.1 (semver)
affected
7.79.0 (semver)
affected
7.78.0 (semver)
affected
7.77.0 (semver)
affected
7.76.1 (semver)
affected
7.76.0 (semver)
affected
7.75.0 (semver)
affected
7.74.0 (semver)
affected
7.73.0 (semver)
affected
7.72.0 (semver)
affected
7.71.1 (semver)
affected
7.71.0 (semver)
affected
7.70.0 (semver)
affected
7.69.1 (semver)
affected
7.69.0 (semver)
affected
7.68.0 (semver)
affected
7.67.0 (semver)
affected
7.66.0 (semver)
affected
7.65.3 (semver)
affected
7.65.2 (semver)
affected
7.65.1 (semver)
affected
7.65.0 (semver)
affected
7.64.1 (semver)
affected
7.64.0 (semver)
affected
7.63.0 (semver)
affected
7.62.0 (semver)
affected
7.61.1 (semver)
affected
7.61.0 (semver)
affected
7.60.0 (semver)
affected
7.59.0 (semver)
affected
7.58.0 (semver)
affected
7.57.0 (semver)
affected
7.56.1 (semver)
affected
7.56.0 (semver)
affected
7.55.1 (semver)
affected
7.55.0 (semver)
affected
7.54.1 (semver)
affected
7.54.0 (semver)
affected
7.53.1 (semver)
affected
7.53.0 (semver)
affected
7.52.1 (semver)
affected
7.52.0 (semver)
affected
7.51.0 (semver)
affected
7.50.3 (semver)
affected
7.50.2 (semver)
affected
7.50.1 (semver)
affected
7.50.0 (semver)
affected
7.49.1 (semver)
affected
7.49.0 (semver)
affected
7.48.0 (semver)
affected
7.47.1 (semver)
affected
7.47.0 (semver)
affected
7.46.0 (semver)
affected
7.45.0 (semver)
affected
7.44.0 (semver)
affected
7.43.0 (semver)
affected
7.42.1 (semver)
affected
7.42.0 (semver)
affected
7.41.0 (semver)
affected
7.40.0 (semver)
affected
7.39.0 (semver)
affected
7.38.0 (semver)
affected
7.37.1 (semver)
affected
7.37.0 (semver)
affected
7.36.0 (semver)
affected
7.35.0 (semver)
affected
7.34.0 (semver)
affected
7.33.0 (semver)
affected
7.32.0 (semver)
affected
7.31.0 (semver)
affected
7.30.0 (semver)
affected
7.29.0 (semver)
affected
7.28.1 (semver)
affected
7.28.0 (semver)
affected
7.27.0 (semver)
affected
7.26.0 (semver)
affected
7.25.0 (semver)
affected
7.24.0 (semver)
affected
7.23.1 (semver)
affected
7.23.0 (semver)
affected
7.22.0 (semver)
affected
7.21.7 (semver)
affected
7.21.6 (semver)
affected
7.21.5 (semver)
affected
7.21.4 (semver)
affected
7.21.3 (semver)
affected
7.21.2 (semver)
affected
7.21.1 (semver)
affected
7.21.0 (semver)
affected
7.20.1 (semver)
affected
7.20.0 (semver)
affected
7.19.7 (semver)
affected
7.19.6 (semver)
affected
7.19.5 (semver)
affected
7.19.4 (semver)
affected
7.19.3 (semver)
affected
7.19.2 (semver)
affected
7.19.1 (semver)
affected
7.19.0 (semver)
affected
7.18.2 (semver)
affected
7.18.1 (semver)
affected
7.18.0 (semver)
affected
7.17.1 (semver)
affected
7.17.0 (semver)
affected
7.16.4 (semver)
affected
7.16.3 (semver)
affected
7.16.2 (semver)
affected
7.16.1 (semver)
affected
7.16.0 (semver)
affected
7.15.5 (semver)
affected
7.15.4 (semver)
affected
7.15.3 (semver)
affected
7.15.2 (semver)
affected
7.15.1 (semver)
affected
7.15.0 (semver)
affected
7.14.1 (semver)
affected
Description
curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy
Problem types
CWE-522 Insufficiently Protected Credentials
Product status
8.19.0 (semver)
8.18.0 (semver)
8.17.0 (semver)
8.16.0 (semver)
8.15.0 (semver)
8.14.1 (semver)
8.14.0 (semver)
8.13.0 (semver)
8.12.1 (semver)
8.12.0 (semver)
8.11.1 (semver)
8.11.0 (semver)
8.10.1 (semver)
8.10.0 (semver)
8.9.1 (semver)
8.9.0 (semver)
8.8.0 (semver)
8.7.1 (semver)
8.7.0 (semver)
8.6.0 (semver)
8.5.0 (semver)
8.4.0 (semver)
8.3.0 (semver)
8.2.1 (semver)
8.2.0 (semver)
8.1.2 (semver)
8.1.1 (semver)
8.1.0 (semver)
8.0.1 (semver)
8.0.0 (semver)
7.88.1 (semver)
7.88.0 (semver)
7.87.0 (semver)
7.86.0 (semver)
7.85.0 (semver)
7.84.0 (semver)
7.83.1 (semver)
7.83.0 (semver)
7.82.0 (semver)
7.81.0 (semver)
7.80.0 (semver)
7.79.1 (semver)
7.79.0 (semver)
7.78.0 (semver)
7.77.0 (semver)
7.76.1 (semver)
7.76.0 (semver)
7.75.0 (semver)
7.74.0 (semver)
7.73.0 (semver)
7.72.0 (semver)
7.71.1 (semver)
7.71.0 (semver)
7.70.0 (semver)
7.69.1 (semver)
7.69.0 (semver)
7.68.0 (semver)
7.67.0 (semver)
7.66.0 (semver)
7.65.3 (semver)
7.65.2 (semver)
7.65.1 (semver)
7.65.0 (semver)
7.64.1 (semver)
7.64.0 (semver)
7.63.0 (semver)
7.62.0 (semver)
7.61.1 (semver)
7.61.0 (semver)
7.60.0 (semver)
7.59.0 (semver)
7.58.0 (semver)
7.57.0 (semver)
7.56.1 (semver)
7.56.0 (semver)
7.55.1 (semver)
7.55.0 (semver)
7.54.1 (semver)
7.54.0 (semver)
7.53.1 (semver)
7.53.0 (semver)
7.52.1 (semver)
7.52.0 (semver)
7.51.0 (semver)
7.50.3 (semver)
7.50.2 (semver)
7.50.1 (semver)
7.50.0 (semver)
7.49.1 (semver)
7.49.0 (semver)
7.48.0 (semver)
7.47.1 (semver)
7.47.0 (semver)
7.46.0 (semver)
7.45.0 (semver)
7.44.0 (semver)
7.43.0 (semver)
7.42.1 (semver)
7.42.0 (semver)
7.41.0 (semver)
7.40.0 (semver)
7.39.0 (semver)
7.38.0 (semver)
7.37.1 (semver)
7.37.0 (semver)
7.36.0 (semver)
7.35.0 (semver)
7.34.0 (semver)
7.33.0 (semver)
7.32.0 (semver)
7.31.0 (semver)
7.30.0 (semver)
7.29.0 (semver)
7.28.1 (semver)
7.28.0 (semver)
7.27.0 (semver)
7.26.0 (semver)
7.25.0 (semver)
7.24.0 (semver)
7.23.1 (semver)
7.23.0 (semver)
7.22.0 (semver)
7.21.7 (semver)
7.21.6 (semver)
7.21.5 (semver)
7.21.4 (semver)
7.21.3 (semver)
7.21.2 (semver)
7.21.1 (semver)
7.21.0 (semver)
7.20.1 (semver)
7.20.0 (semver)
7.19.7 (semver)
7.19.6 (semver)
7.19.5 (semver)
7.19.4 (semver)
7.19.3 (semver)
7.19.2 (semver)
7.19.1 (semver)
7.19.0 (semver)
7.18.2 (semver)
7.18.1 (semver)
7.18.0 (semver)
7.17.1 (semver)
7.17.0 (semver)
7.16.4 (semver)
7.16.3 (semver)
7.16.2 (semver)
7.16.1 (semver)
7.16.0 (semver)
7.15.5 (semver)
7.15.4 (semver)
7.15.3 (semver)
7.15.2 (semver)
7.15.1 (semver)
7.15.0 (semver)
7.14.1 (semver)
Credits
Dwij Mehta (O2 Lab
Texas A&M University)
Daniel Stenberg
References
www.openwall.com/lists/oss-security/2026/04/29/11
hackerone.com/reports/3669637
curl.se/docs/CVE-2026-6253.json (json)
curl.se/docs/CVE-2026-6253.html (www)
hackerone.com/reports/3669637 (issue)