CVE-2026-8926

CRITICAL

curl - Password Leak with Netrc and User in URL

Title source: rule
STIX 2.1

Description

When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://[email protected]/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.

Scores

CVSS v3 9.1
EPSS 0.0061
EPSS Percentile 45.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-522
Status published
Products (13)
curl/curl 8.11.1
curl/curl 8.12.0
curl/curl 8.12.1
curl/curl 8.13.0
curl/curl 8.14.0
curl/curl 8.14.1
curl/curl 8.15.0
curl/curl 8.16.0
curl/curl 8.17.0
curl/curl 8.18.0
... and 3 more
Published Jul 03, 2026
Tracked Since Jul 03, 2026