CVE-2026-8926
Received
Received - Intake
curl Credential Leak via .netrc Misconfiguration
Vulnerability report for CVE-2026-8926, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-03
Last updated on: 2026-07-03
Assigner: curl
Description
Description
When asking curl to use a `.netrc` file to find credentials and at the same
time specifying a URL with a username(without a password), like
`https://[email protected]/`, curl could wrongly get and use the password for
*another* user set in the `.netrc` file for that host if such a one exists and
there is no match for the specified user.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| curl | curl | 8.21.0 |
| curl | curl | From 8.11.1 (inc) to 8.20.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |