CVE-2026-9079
Received Received - Intake

libcurl Proxy Authentication Credential Leak Vulnerability

Vulnerability report for CVE-2026-9079, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
curl libcurl From 8.8.0 (inc) to 8.20.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-9079 in libcurl involves a flaw where proxy authentication credentials were not properly cleared when instructed to do so.

This flaw caused old credentials to remain in memory and be reused in subsequent transfers that should not have access to those credentials.

The issue affects libcurl versions from 8.8.0 up to and including 8.20.0 and was fixed in version 8.21.0.

Compliance Impact

The vulnerability involves proxy authentication credentials not being properly cleared, leaving old credentials accessible for subsequent transfers. This flaw relates to insufficiently protected credentials (CWE-522), which could potentially lead to unauthorized access to sensitive information.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, the exposure of authentication credentials could pose risks to data confidentiality and access controls, which are critical components of these regulations.

Therefore, organizations using affected versions of libcurl might face challenges in maintaining compliance with data protection and privacy requirements if this vulnerability is exploited, as it could lead to unauthorized data access.

Impact Analysis

This vulnerability can lead to unauthorized use of proxy authentication credentials because old credentials are not cleared as expected.

As a result, subsequent transfers that should not have access to these credentials might inadvertently reuse them, potentially exposing sensitive authentication information.

Mitigation Strategies

To mitigate the CVE-2026-9079 vulnerability in libcurl, you should upgrade to curl version 8.21.0 or later, where the issue has been fixed.

Alternatively, you can apply the patch provided by the curl project to rebuild the affected version.

Another recommended mitigation is to avoid reusing handles when changing proxy credentials, which prevents old credentials from being reused.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9079. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart