CVE-2026-9079

CRITICAL

curl - Stale Proxy Password Leak

Title source: rule
STIX 2.1

Description

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

Scores

CVSS v3 9.8
EPSS 0.0106
EPSS Percentile 60.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-522
Status published
Products (19)
curl/curl 8.10.0
curl/curl 8.10.1
curl/curl 8.11.0
curl/curl 8.11.1
curl/curl 8.12.0
curl/curl 8.12.1
curl/curl 8.13.0
curl/curl 8.14.0
curl/curl 8.14.1
curl/curl 8.15.0
... and 9 more
Published Jul 03, 2026
Tracked Since Jul 03, 2026