CVE-2026-8927
Received Received - Intake

libcurl Proxy Authentication State Leak in Sequential Transfers

Vulnerability report for CVE-2026-8927, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
curl libcurl From 7.12.0 (inc) to 8.20.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability causes the Proxy-Authorization header, which contains authentication credentials, to be leaked from one proxy to another when reusing a libcurl handle for sequential transfers. This unintended exposure of sensitive authentication information could potentially lead to unauthorized access or impersonation attacks.

Such leakage of authentication credentials may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and proper access controls to prevent unauthorized disclosure of personal or protected information.

Therefore, organizations using affected libcurl versions without applying the fix or mitigation might face increased risk of non-compliance due to potential unauthorized data exposure.

Executive Summary

CVE-2026-8927 is a medium-severity vulnerability in libcurl versions 7.12.0 through 8.20.0. It occurs when reusing a libcurl handle for sequential transfers that use environment-variable proxy configuration. The problem is that libcurl fails to clear the proxy authentication state between requests.

Specifically, if the first transfer authenticates to a proxy (proxyA) using Digest authentication, a subsequent transfer routed through a different proxy (proxyB) may mistakenly include the Proxy-Authorization header intended only for proxyA. This causes sensitive authentication credentials to leak to the second proxy.

Impact Analysis

This vulnerability can lead to the unintended exposure of proxy authentication credentials to a different proxy than originally intended.

An attacker controlling the second proxy (proxyB) could capture the leaked Proxy-Authorization header and potentially impersonate the client when communicating with the first proxy (proxyA). This could lead to unauthorized access or misuse of credentials.

To mitigate this risk, users should upgrade libcurl to version 8.21.0 or later, apply available patches, or avoid reusing libcurl handles when changing proxies.

Detection Guidance

This vulnerability involves the leakage of the Proxy-Authorization header when reusing a libcurl handle for sequential transfers through different proxies. Detection would involve monitoring network traffic for unexpected Proxy-Authorization headers being sent to proxies other than the intended one.

Since the issue is specific to libcurl versions 7.12.0 through 8.20.0 and involves environment-variable proxy configuration, you can check the libcurl version in use on your system to identify if it is vulnerable.

To detect the vulnerability in network traffic, you could use packet capture tools like tcpdump or Wireshark to filter HTTP headers for Proxy-Authorization headers sent to multiple different proxies.

  • Use tcpdump to capture HTTP traffic on port 3128 (common proxy port): tcpdump -i any -A 'tcp port 3128 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Use Wireshark to filter HTTP requests containing Proxy-Authorization headers and verify if the header is sent to different proxy IP addresses sequentially.
  • Check the libcurl version on your system with: curl --version or by inspecting the linked libcurl library version in your applications.
Mitigation Strategies

The primary mitigation is to upgrade libcurl to version 8.21.0 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, you should avoid reusing libcurl handles when changing proxies, especially when using environment-variable proxy configuration.

Applying the official patch provided for this vulnerability is another effective mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8927. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart