CVE-2026-8286
Received Received - Intake

STARTTLS Connection Reuse with TLS Mismatch in Exim

Vulnerability report for CVE-2026-8286, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
curl curl From 7.30.0 (inc) to 8.20.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-8286 is a vulnerability in the curl library where a new transfer using STARTTLS to upgrade a connection to TLS may incorrectly reuse an existing live connection even when the TLS configuration does not match.

This means that when protocols like IMAP, POP3, SMTP, FTP, and LDAP start a connection in cleartext and then upgrade to TLS using STARTTLS, curl might reuse a connection that should not be reused due to mismatched TLS settings.

The issue arises because the validation logic that ensures configuration consistency between transfers is not properly invoked, leading to improper certificate validation (CWE-295).

Compliance Impact

The vulnerability involves improper certificate validation when reusing existing live connections with mismatched TLS configurations during STARTTLS upgrades. This could potentially lead to security weaknesses in the encryption and authentication of data transfers.

While the severity is classified as low, improper certificate validation (CWE-295) can undermine the confidentiality and integrity of communications, which are critical aspects of compliance with standards like GDPR and HIPAA that require protection of sensitive data in transit.

Therefore, if exploited, this vulnerability might impact compliance by exposing data transfers to risks that these regulations aim to mitigate, such as unauthorized data access or interception.

Users are advised to upgrade to curl version 8.21.0 or later to address this issue and maintain compliance with security requirements.

Detection Guidance

This vulnerability involves curl reusing existing live connections with mismatched TLS configurations during STARTTLS upgrades. Detection involves identifying usage of vulnerable curl versions (7.30.0 to 8.20.0) and monitoring network traffic for STARTTLS upgrades on protocols like IMAP, POP3, SMTP, FTP, and LDAP.

To detect if your system is vulnerable, first check the curl version installed:

  • curl --version

If the version is between 7.30.0 and 8.20.0 inclusive, your system is affected. To monitor network connections that use STARTTLS, you can use packet capture tools like tcpdump or Wireshark to filter for STARTTLS commands or TLS upgrades on the relevant protocols.

  • tcpdump -i <interface> -A port 143 or port 110 or port 25 or port 21 or port 389

Look for STARTTLS commands in the captured traffic to identify if connections are being upgraded and potentially reused improperly.

Additionally, reviewing application logs or enabling verbose/debug mode in curl can help detect unexpected connection reuse or TLS configuration mismatches.

  • curl --trace-ascii debug.txt <URL>
Impact Analysis

This vulnerability can lead to improper certificate validation, which may allow an attacker to exploit the reused connection despite mismatched TLS configurations.

Such misuse of connections could potentially expose sensitive data or allow man-in-the-middle attacks because the security guarantees expected from TLS upgrades are not properly enforced.

However, the severity of this issue is classified as low.

Mitigation Strategies

To mitigate the CVE-2026-8286 vulnerability, users should upgrade curl and libcurl to version 8.21.0 or later, where the issue has been fixed.

Alternatively, users can apply the patch provided for this vulnerability and rebuild libcurl.

As a temporary workaround, avoid using clear-text transfers with protocols that upgrade to TLS using STARTTLS, such as IMAP, POP3, SMTP, FTP, and LDAP.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8286. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart