CVE-2026-11564
Received Received - Intake

libcurl Default CA Trust Misuse Vulnerability

Vulnerability report for CVE-2026-11564, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
curl libcurl From 8.17.0 (inc) to 8.21.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11564 is a vulnerability in libcurl where previously used connections in the connection pool retain the native CA trust settings even after an application switches to custom CA material for a later transfer.

This flaw allows libcurl to accept TLS certificates that would otherwise be rejected if custom CA settings were applied consistently.

The issue affects builds using the default "Native CA" trust store, particularly on Apple operating systems or Windows, and occurs with OpenSSL, GnuTLS, Schannel, or Rustls TLS backends.

It does not impact the curl command line tool.

The vulnerability is classified as CWE-295 (Improper Certificate Validation) with a low severity.

Impact Analysis

This vulnerability can cause libcurl to improperly validate TLS certificates by continuing to trust the native platform CA store even when an application switches to custom CA material.

As a result, connections may be established with servers presenting certificates that should have been rejected under the custom CA settings, potentially exposing the application to man-in-the-middle attacks or unauthorized access.

The impact is limited to applications using libcurl versions 8.17.0 through 8.20.0 that switch CA trust settings on the same easy handle and rely on connection reuse.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade libcurl to version 8.21.0 or later where the issue is fixed.

Alternatively, users can apply the official patch provided for this vulnerability.

As a workaround, avoid reusing easy handles with different CA options to prevent the native CA trust from persisting incorrectly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11564. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart