CVE-2026-11856
Received Received - Intake

Authorization Header Reuse in libcurl

Vulnerability report for CVE-2026-11856, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
curl libcurl From 7.10.6 (inc) to 8.20.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11856 is a vulnerability in libcurl where reusing a handle to perform a transfer to one HTTP origin (hostA) with Digest authentication and then switching to a different origin (hostB) causes libcurl to incorrectly send the Authorization header meant for hostA to hostB.

This means that the authenticated state intended for hostA is mistakenly passed to hostB, allowing hostB to impersonate the client when communicating with hostA. However, hostB cannot see the details of hostA, and the credentials themselves are not exposed, only the ability to replay the specific request for the exact path.

The vulnerability is classified as CWE-294 (Authentication Bypass by Capture-replay) with medium severity and affects libcurl versions 7.10.6 through 8.20.0. It was fixed in version 8.21.0.

Compliance Impact

This vulnerability causes libcurl to send an Authorization header intended for one HTTP origin (hostA) to a different origin (hostB) when reusing the same handle. While this can allow hostB to impersonate the client for hostA, the credentials themselves are not exposed, and hostB cannot see the details of hostA. The impact is limited to replaying a specific authenticated request.

Because the vulnerability involves potential unauthorized reuse of authentication headers, it could pose risks related to unauthorized access or data exposure, which are relevant concerns under standards like GDPR and HIPAA that require protection of sensitive data and authentication credentials.

However, the provided information does not explicitly discuss compliance implications or how this vulnerability directly affects adherence to these regulations.

Impact Analysis

This vulnerability can allow an unintended server (hostB) to receive and reuse the Authorization header intended for another server (hostA), effectively letting hostB impersonate the client in requests meant for hostA.

While the actual credentials are not exposed, the attacker controlling hostB can replay the authenticated request for the exact path, potentially gaining unauthorized access or causing unintended actions on hostA.

The impact is limited because hostB cannot see the details of hostA or the credentials themselves, but the authentication bypass by replaying requests can still lead to security risks.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade libcurl to version 8.21.0 or later where the issue is fixed.

Alternatively, users can apply the available patch that addresses this issue.

As a temporary workaround, avoid reusing the same libcurl handle when switching between different HTTP origins.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart