CVE-2026-9546
Received Received - Intake

HTTP Referer Header Persistence in libcurl

Vulnerability report for CVE-2026-9546, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppresses the header, the option failed to clear the internal state. As a result the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
curl curl to 8.20.0 (inc)
curl curl 8.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in libcurl causes the HTTP Referer header to persist even when it is explicitly cleared by passing NULL to the CURLOPT_REFERER option.

Although the documentation states that passing NULL should suppress the Referer header, the internal state was not properly cleared, resulting in the previous referrer string being reused and sent in subsequent HTTP requests.

This behavior can lead to unintended leakage of sensitive information to servers that should not receive it.

Impact Analysis

The vulnerability can cause sensitive information contained in the Referer header to be leaked to unintended servers during HTTP requests.

This could expose private or confidential data that was part of the previous request's URL or context, potentially leading to privacy breaches or information disclosure.

The issue is considered low severity and does not affect the curl command line tool, but it affects applications using libcurl versions 8.18.0 to 8.20.0 that rely on CURLOPT_REFERER.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade libcurl to version 8.21.0 or later, where the issue has been fixed.

Alternatively, users can apply the patch that fixes the issue or avoid using the CURLOPT_REFERER option to prevent the Referer header from persisting erroneously.

Compliance Impact

This vulnerability causes the HTTP Referer header to persist and be sent unintentionally, potentially leaking sensitive information to unintended servers.

Such unintended leakage of sensitive information could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and proper handling of personal and sensitive data.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9546. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart