CVE-2026-8932
Received Received - Intake

mTLS Connection Reuse in libcurl Due to Missing Config Checks

Vulnerability report for CVE-2026-8932, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
curl libcurl From 7.7 (inc) to 8.20.0 (inc)
curl libcurl 8.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability in libcurl involves the incorrect reuse of connections despite changes in mTLS configuration related to client certificates and private keys, potentially leading to authentication bypass.

Such authentication bypass issues could impact compliance with security requirements in common standards and regulations like GDPR and HIPAA, which mandate strict controls over authentication and data protection.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Executive Summary

CVE-2026-8932 is a vulnerability in libcurl where the library incorrectly reuses an existing connection even when certain mutual TLS (mTLS) configuration options related to client certificates and private keys have been changed.

libcurl maintains a connection pool to reuse connections for efficiency, but it fails to properly check all relevant TLS settings when deciding if a connection can be reused. This means connections might be reused inappropriately, bypassing intended security configurations.

Impact Analysis

This vulnerability can lead to authentication bypass issues because connections may be reused even when security settings related to client certificates and private keys have changed.

As a result, the reused connection might not meet the updated security requirements, potentially allowing unauthorized access or weakening the security of communications that rely on proper mTLS configuration.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade libcurl to version 8.21.0 or later, where the issue has been fixed.

Alternatively, apply any available patches that address this specific vulnerability.

Since the vulnerability affects libcurl versions from 7.7 up to and including 8.20.0, ensuring your environment does not use these versions will prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8932. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart