Home

Description

A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.

PUBLISHED Reserved 2026-05-11 | Published 2026-07-03 | Updated 2026-07-06 | Assigner curl

Problem types

CWE-295 Improper Certificate Validation

Product status

Default status
unaffected

8.20.0 (semver)
affected

8.19.0 (semver)
affected

8.18.0 (semver)
affected

8.17.0 (semver)
affected

8.16.0 (semver)
affected

8.15.0 (semver)
affected

8.14.1 (semver)
affected

8.14.0 (semver)
affected

8.13.0 (semver)
affected

8.12.1 (semver)
affected

8.12.0 (semver)
affected

8.11.1 (semver)
affected

8.11.0 (semver)
affected

8.10.1 (semver)
affected

8.10.0 (semver)
affected

8.9.1 (semver)
affected

8.9.0 (semver)
affected

8.8.0 (semver)
affected

8.7.1 (semver)
affected

8.7.0 (semver)
affected

8.6.0 (semver)
affected

8.5.0 (semver)
affected

8.4.0 (semver)
affected

8.3.0 (semver)
affected

8.2.1 (semver)
affected

8.2.0 (semver)
affected

8.1.2 (semver)
affected

8.1.1 (semver)
affected

8.1.0 (semver)
affected

8.0.1 (semver)
affected

8.0.0 (semver)
affected

7.88.1 (semver)
affected

7.88.0 (semver)
affected

7.87.0 (semver)
affected

7.86.0 (semver)
affected

7.85.0 (semver)
affected

7.84.0 (semver)
affected

7.83.1 (semver)
affected

7.83.0 (semver)
affected

7.82.0 (semver)
affected

7.81.0 (semver)
affected

7.80.0 (semver)
affected

7.79.1 (semver)
affected

7.79.0 (semver)
affected

7.78.0 (semver)
affected

7.77.0 (semver)
affected

7.76.1 (semver)
affected

7.76.0 (semver)
affected

7.75.0 (semver)
affected

7.74.0 (semver)
affected

7.73.0 (semver)
affected

7.72.0 (semver)
affected

7.71.1 (semver)
affected

7.71.0 (semver)
affected

7.70.0 (semver)
affected

7.69.1 (semver)
affected

7.69.0 (semver)
affected

7.68.0 (semver)
affected

7.67.0 (semver)
affected

7.66.0 (semver)
affected

7.65.3 (semver)
affected

7.65.2 (semver)
affected

7.65.1 (semver)
affected

7.65.0 (semver)
affected

7.64.1 (semver)
affected

7.64.0 (semver)
affected

7.63.0 (semver)
affected

7.62.0 (semver)
affected

7.61.1 (semver)
affected

7.61.0 (semver)
affected

7.60.0 (semver)
affected

7.59.0 (semver)
affected

7.58.0 (semver)
affected

7.57.0 (semver)
affected

7.56.1 (semver)
affected

7.56.0 (semver)
affected

7.55.1 (semver)
affected

7.55.0 (semver)
affected

7.54.1 (semver)
affected

7.54.0 (semver)
affected

7.53.1 (semver)
affected

7.53.0 (semver)
affected

7.52.1 (semver)
affected

7.52.0 (semver)
affected

7.51.0 (semver)
affected

7.50.3 (semver)
affected

7.50.2 (semver)
affected

7.50.1 (semver)
affected

7.50.0 (semver)
affected

7.49.1 (semver)
affected

7.49.0 (semver)
affected

7.48.0 (semver)
affected

7.47.1 (semver)
affected

7.47.0 (semver)
affected

7.46.0 (semver)
affected

7.45.0 (semver)
affected

7.44.0 (semver)
affected

7.43.0 (semver)
affected

7.42.1 (semver)
affected

7.42.0 (semver)
affected

7.41.0 (semver)
affected

7.40.0 (semver)
affected

7.39.0 (semver)
affected

7.38.0 (semver)
affected

7.37.1 (semver)
affected

7.37.0 (semver)
affected

7.36.0 (semver)
affected

7.35.0 (semver)
affected

7.34.0 (semver)
affected

7.33.0 (semver)
affected

7.32.0 (semver)
affected

7.31.0 (semver)
affected

7.30.0 (semver)
affected

Credits

Andrew Nesbitt (powered by Mythos) finder

Stefan Eissing remediation developer

References

hackerone.com/reports/3718195 exploit

curl.se/docs/CVE-2026-8286.json (json)

curl.se/docs/CVE-2026-8286.html (www)

hackerone.com/reports/3718195 (issue)

cve.org (CVE-2026-8286)

nvd.nist.gov (CVE-2026-8286)

Download JSON