CVE-2026-4873

MEDIUM

curl 8.7.0-8.19.0 - TLS Bypass via Connection Pool Reuse

Title source: llm

Description

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.

References (4)

Core 4

Core References

json

https://curl.se/docs/CVE-2026-4873.json

www

https://curl.se/docs/CVE-2026-4873.html

issue

https://hackerone.com/reports/3621851

Mailing List

http://www.openwall.com/lists/oss-security/2026/04/29/7

Scores

CVSS v3 5.9

EPSS 0.0001

EPSS Percentile 2.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295 CWE-319

Status published

Products (50)

curl/curl 7.20.0

curl/curl 7.20.1

curl/curl 7.21.0

curl/curl 7.21.1

curl/curl 7.21.2

curl/curl 7.21.3

curl/curl 7.21.4

curl/curl 7.21.5

curl/curl 7.21.6

curl/curl 7.21.7

... and 40 more

Published May 13, 2026

Tracked Since May 13, 2026