Home

Description

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

PUBLISHED Reserved 2026-05-20 | Published 2026-07-03 | Updated 2026-07-06 | Assigner curl

Problem types

CWE-522 Insufficiently Protected Credentials

Product status

Default status
unaffected

8.20.0 (semver)
affected

8.19.0 (semver)
affected

8.18.0 (semver)
affected

8.17.0 (semver)
affected

8.16.0 (semver)
affected

8.15.0 (semver)
affected

8.14.1 (semver)
affected

8.14.0 (semver)
affected

8.13.0 (semver)
affected

8.12.1 (semver)
affected

8.12.0 (semver)
affected

8.11.1 (semver)
affected

8.11.0 (semver)
affected

8.10.1 (semver)
affected

8.10.0 (semver)
affected

8.9.1 (semver)
affected

8.9.0 (semver)
affected

8.8.0 (semver)
affected

Credits

Guancheng Li finder

Daniel Stenberg remediation developer

References

hackerone.com/reports/3750295 exploit

curl.se/docs/CVE-2026-9079.json (json)

curl.se/docs/CVE-2026-9079.html (www)

hackerone.com/reports/3750295 (issue)

cve.org (CVE-2026-9079)

nvd.nist.gov (CVE-2026-9079)

Download JSON