CVE-2026-12064
Received Received - Intake

curl SFTP/SCP Host Verification Bypass via Schemeless URL

Vulnerability report for CVE-2026-12064, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
curl curl to 8.20.0 (inc)
curl curl 8.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs when a user runs the curl command line tool with a schemeless URL combined with the option --proto-default set to sftp or scp. In this scenario, the tool layer incorrectly infers the URL scheme and skips initializing important SSH security options such as host public key verification and known hosts validation.

Although the underlying libcurl library correctly honors the default protocol and connects via SFTP or SCP, the tool layer's omission causes curl to connect to an unverified SSH remote host without raising any error. This disconnect between the tool layer and libcurl leads to a silent bypass of critical SSH host verification, potentially exposing users to security risks.

Impact Analysis

This vulnerability can allow curl to connect to an unverified SSH remote host without warning the user. As a result, users may be exposed to man-in-the-middle attacks where an attacker could intercept or manipulate the data transmitted over the SSH connection.

Because the SSH host verification options are silently omitted, users might unknowingly establish connections to malicious servers, compromising the confidentiality and integrity of their data.

Detection Guidance

This vulnerability occurs when curl is invoked using a schemeless URL combined with the --proto-default option set to sftp or scp, causing SSH host verification options to be bypassed silently.

To detect if your system is vulnerable, check the version of curl installed. Versions from 7.81.0 up to and including 8.20.0 are affected.

You can run the following command to check your curl version:

  • curl --version

To detect usage of the vulnerable pattern on your system or network, you can search for curl commands that use schemeless URLs with --proto-default sftp or scp in shell history or scripts.

Example command to search shell history for such usage:

  • history | grep 'curl.*--proto-default.*\(sftp\|scp\)'

Network detection of this vulnerability is difficult because the connection is established via SFTP/SCP normally, but without proper SSH host verification, so no explicit error is raised.

Mitigation Strategies

The recommended immediate mitigation steps are:

  • Upgrade curl and libcurl to version 8.21.0 or later, where the vulnerability is fixed.
  • If upgrading is not immediately possible, apply the patch for this vulnerability to your current curl version and rebuild.
  • Avoid using the --proto-default option with sftp or scp schemes until the fix is applied.
Compliance Impact

This vulnerability causes curl to connect to an unverified SSH remote host without throwing an error due to bypassed SSH host verification options. This silent omission of critical security checks could potentially expose data transmissions to man-in-the-middle attacks.

Such exposure may impact compliance with security requirements in common standards and regulations like GDPR and HIPAA, which mandate protection of data in transit and proper verification of communication endpoints to prevent unauthorized access or data breaches.

Therefore, if curl is used in environments subject to these regulations, this vulnerability could undermine the assurance of secure communications and thus affect compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart