CVE-2026-8458
Received Received - Intake

libcurl Connection Reuse Authentication Bypass

Vulnerability report for CVE-2026-8458, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
curl libcurl From 7.43.0 (inc) to 8.20.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in libcurl involves incorrect reuse of connections authenticated with different services, potentially leading to improper session handling.

However, the provided information does not specify any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-8458 is a vulnerability in libcurl versions 7.43.0 to 8.20.0 where the library may incorrectly reuse an existing connection for Negotiate-authenticated requests even when those connections are set to use different services.

libcurl maintains a pool of recent connections to improve performance by reusing them for subsequent requests. Due to a logical error in the connection reuse logic, a request could wrongfully reuse a connection to the same server that was authenticated with different services, which should not happen.

This issue only affects cases where the hostname, port, and credentials are identical and the previous connection remains active in the pool. The flaw has existed since curl started supporting service name settings for Negotiate.

The vulnerability is classified as low severity and does not impact the curl command line tool. It was fixed in curl version 8.21.0 by ensuring connection reuse considers the service name.

Impact Analysis

This vulnerability can lead to improper session handling by allowing a request to reuse a connection authenticated with different services. This could potentially expose data elements to the wrong session.

Since the connection reuse logic is flawed, sensitive information or authentication contexts might be incorrectly shared between different service requests, which could lead to unintended data exposure or security issues in applications relying on libcurl for Negotiate authentication.

However, the severity is considered low and the issue does not affect the curl command line tool, limiting the scope of impact primarily to applications using libcurl with Negotiate authentication.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade libcurl to version 8.21.0 or later, where the issue has been fixed.

Alternatively, you can apply the patch provided for this vulnerability if upgrading is not immediately possible.

If neither upgrading nor patching is feasible, avoid using HTTP Negotiate authentication in your applications to prevent the incorrect reuse of connections.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8458. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart