CVE-2026-9545
Received Received - Intake

Session Reuse Bypass in libcurl with Early Data

Vulnerability report for CVE-2026-9545, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
curl libcurl to 8.20.0 (inc)
curl curl to 8.20.0 (inc)
curl libcurl 8.21.0
curl curl 8.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9545 is a vulnerability in libcurl and the curl command line tool that affects HTTP/3 connections using the ngtcp2 + nghttp3 backend.

The issue occurs when libcurl reuses a cached SSL session with CURLOPT_SSL_SESSIONID_CACHE enabled and early data is enabled (CURLSSLOPT_EARLYDATA set) for a second transfer to the same site.

If an attacker replaces the legitimate server with an impostor machine lacking a valid certificate, libcurl may send sensitive data before verifying the certificate failure, potentially leaking information.

This flaw is specific to HTTPS URLs using HTTP/3 and was introduced in curl version 8.11.0, affecting versions up to 8.20.0. It was fixed in curl 8.21.0.

Impact Analysis

This vulnerability can lead to the unintended leakage of sensitive information.

If an attacker replaces a legitimate server with an impostor machine without a valid certificate, libcurl might send data from a second request before verifying the certificate, exposing potentially confidential data.

This could compromise the confidentiality of communications and data transmitted over HTTPS connections using HTTP/3 with early data enabled.

Detection Guidance

This vulnerability occurs specifically when libcurl reuses a cached SSL session with early data enabled during HTTP/3 transfers. Detection involves identifying usage of vulnerable curl versions (8.11.0 to 8.20.0) and configurations where CURLOPT_SSL_SESSIONID_CACHE and CURLSSLOPT_EARLYDATA are enabled.

To detect if your system is vulnerable, check the curl version installed and inspect if applications use libcurl with early data enabled and SSL session caching active.

Suggested commands to check curl version and configuration:

  • curl --version # Verify if the curl version is between 8.11.0 and 8.20.0
  • Check application code or configuration for usage of CURLOPT_SSL_SESSIONID_CACHE and CURLSSLOPT_EARLYDATA options in libcurl.

Network detection of exploit attempts may be difficult as the issue involves early data sent before certificate verification failure, but monitoring for unexpected HTTP/3 connections or suspicious server certificate changes could help.

Mitigation Strategies

Immediate mitigation steps include upgrading libcurl and curl to version 8.21.0 or later, where the vulnerability is fixed.

If upgrading is not immediately possible, disable TLS early data by not setting the CURLSSLOPT_EARLYDATA option or disabling CURLOPT_SSL_SESSIONID_CACHE to prevent reuse of cached SSL sessions.

Applying the official patch provided by the curl project is also a recommended mitigation.

Compliance Impact

This vulnerability in libcurl can potentially lead to the leakage of sensitive information due to early data being sent before certificate verification fails when connecting to an impostor server. Such unintended data exposure could impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of sensitive personal and health information from unauthorized disclosure.

Organizations relying on libcurl for secure HTTP/3 connections might face increased risk of data breaches if they use affected versions without mitigation, thereby potentially violating confidentiality and data protection requirements mandated by these standards.

Mitigations such as upgrading to curl version 8.21.0, applying patches, or disabling TLS early data are necessary to maintain compliance and reduce the risk of sensitive data leakage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9545. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart