CVE-2026-7009 | THREATINT

Description

When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.

PUBLISHED Reserved 2026-04-25 | Published 2026-05-13 | Updated 2026-05-13 | Assigner curl

Problem types

CWE-295 Improper Certificate Validation

Product status

Default status

unaffected

8.19.0 (semver)

affected

8.18.0 (semver)

affected

8.17.0 (semver)

affected

Credits

Carlos Carrillo finder

Stefan Eissing remediation developer

References

www.openwall.com/lists/oss-security/2026/04/29/12

hackerone.com/reports/3694390 exploit

curl.se/docs/CVE-2026-7009.json (json)

curl.se/docs/CVE-2026-7009.html (www)

hackerone.com/reports/3694390 (issue)

cve.org (CVE-2026-7009)

nvd.nist.gov (CVE-2026-7009)

Download JSON