CVE-2026-9547
Received Received - Intake

libcurl SCP/SFTP Host Key Type Bypass via Callback

Vulnerability report for CVE-2026-9547, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: curl

Description

When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
curl libcurl From 7.69.0 (inc) to 8.20.0 (inc)
curl libcurl 8.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in libcurl versions 7.69.0 through 8.20.0 when performing SCP or SFTP transfers using the CURLOPT_SSH_KEYFUNCTION callback. If a server presents a host key type that does not match the one stored in the known_hosts file, the callback fails to reject this mismatch. As a result, the connection proceeds without warning, potentially allowing an attacker to perform a man-in-the-middle attack by impersonating the server.

Impact Analysis

The vulnerability can allow an attacker to intercept or alter data transferred between a client and server by exploiting the failure to properly validate the server's host key during SCP or SFTP transfers. This man-in-the-middle attack risk means sensitive data could be exposed or manipulated without the user's knowledge.

Detection Guidance

This vulnerability involves improper host key validation during SCP or SFTP transfers when using the CURLOPT_SSH_KEYFUNCTION callback in libcurl with the libssh backend. Detection involves verifying if your libcurl version is between 7.69.0 and 8.20.0 and if it uses the libssh backend rather than libssh2.

To detect if your system is vulnerable, you can check the libcurl version installed and whether it is built with libssh. For example, run the following commands:

  • Check libcurl version: `curl --version`
  • Check linked SSH backend in libcurl output (look for 'libssh' or 'libssh2')

Additionally, monitoring network traffic for unexpected SSH host key mismatches during SCP or SFTP transfers could help detect exploitation attempts, but no specific detection commands are provided in the resources.

Mitigation Strategies

Immediate mitigation steps include upgrading libcurl to version 8.21.0 or later, where the vulnerability is fixed.

Alternatively, you can apply the official patch for this vulnerability or rebuild libcurl to use the libssh2 backend instead of libssh, as the issue only affects the libssh backend.

Users should avoid using vulnerable versions (7.69.0 through 8.20.0) with the libssh backend for SCP or SFTP transfers that utilize the CURLOPT_SSH_KEYFUNCTION callback.

Compliance Impact

This vulnerability allows a man-in-the-middle attack by silently accepting an untrusted server during SSH-based transfers, which could lead to unauthorized interception or modification of data in transit.

Such a security flaw may impact compliance with standards and regulations like GDPR and HIPAA, which require the protection of data confidentiality and integrity during transmission.

However, the provided information does not explicitly discuss or analyze the direct effects of this vulnerability on compliance with these or other common standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9547. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart