CVE-2026-6429

MEDIUM

curl - Password Leak via .netrc File During HTTP Redirect

Title source: llm

Description

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

References (3)

Core 3

Core References

json

https://curl.se/docs/CVE-2026-6429.json

www

https://curl.se/docs/CVE-2026-6429.html

issue

https://hackerone.com/reports/3677759

Scores

CVSS v3 5.3

EPSS 0.0002

EPSS Percentile 6.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (50)

curl/curl 7.14.0

curl/curl 7.14.1

curl/curl 7.15.0

curl/curl 7.15.1

curl/curl 7.15.2

curl/curl 7.15.3

curl/curl 7.15.4

curl/curl 7.15.5

curl/curl 7.16.0

curl/curl 7.16.1

... and 40 more

Published May 13, 2026

Tracked Since May 13, 2026