CVE-2026-8924
Received Received - Intake

Cookie Parsing Bypass in curl

Vulnerability report for CVE-2026-8924, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
curl curl From 7.46.0 (inc) to 8.21.0 (exc)
curl curl 8.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows attacker-controlled origins to inject cookies that curl scopes and transmits to unrelated third-party domains, potentially leading to unintended information exposure.

Such unintended transmission of cookies could raise concerns under data protection regulations like GDPR and HIPAA, which require strict controls on personal data sharing and transmission to unauthorized parties.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with these standards.

Executive Summary

This vulnerability is a flaw in curl's cookie parsing logic that allows a malicious HTTP server to set "super cookies" which bypass the Public Suffix List (PSL) check.

An attacker-controlled origin can inject cookies that curl then scopes and transmits to unrelated third-party domains, potentially exposing cookies to domains that should not receive them.

The issue arises especially when a trailing dot is used in hostnames (e.g., https://example.co.uk.) which curl mishandles, allowing these overly broad cookies to be sent.

Impact Analysis

This vulnerability can lead to information exposure because cookies intended for one domain may be sent to unrelated third-party domains.

Attackers controlling a malicious HTTP server can exploit this to inject cookies that curl will send to other domains, potentially leaking sensitive session or authentication data.

The impact is classified as low severity, but it can still compromise privacy and security by exposing cookie data beyond its intended scope.

Detection Guidance

This vulnerability involves curl's cookie parsing logic allowing malicious HTTP servers to set 'super cookies' that bypass the Public Suffix List check, potentially causing curl to send cookies to unrelated third-party domains.

Detection would involve monitoring curl's cookie behavior, especially when accessing URLs with trailing dots in hostnames (e.g., https://example.co.uk.).

Since the vulnerability can be exploited using the curl command line tool, one way to detect it is to test curl versions between 7.46.0 and 8.20.0 by attempting to access a malicious HTTP server that sets such 'super cookies' and observing if curl sends cookies to unrelated domains.

No specific detection commands are provided in the resources.

Mitigation Strategies

The primary mitigation step is to upgrade curl to version 8.21.0 or later, where the vulnerability has been fixed.

Alternatively, apply the patch released by the curl project if upgrading is not immediately possible.

Avoid using trailing dots in hostnames in URLs, as this triggers the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8924. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart