CVE-2026-3784

MEDIUM 6.5

wrong proxy connection reuse with credentials

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Vendor	curl
Product	curl
Published	Mar 11, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for curl curl

Be the first to know when new medium vulnerabilities affecting curl curl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

curl / curl

8.18.0 ≤ 8.18.0 8.17.0 ≤ 8.17.0 8.16.0 ≤ 8.16.0 8.15.0 ≤ 8.15.0 8.14.1 ≤ 8.14.1 8.14.0 ≤ 8.14.0 8.13.0 ≤ 8.13.0 8.12.1 ≤ 8.12.1 8.12.0 ≤ 8.12.0 8.11.1 ≤ 8.11.1 8.11.0 ≤ 8.11.0 8.10.1 ≤ 8.10.1 8.10.0 ≤ 8.10.0 8.9.1 ≤ 8.9.1 8.9.0 ≤ 8.9.0 8.8.0 ≤ 8.8.0 8.7.1 ≤ 8.7.1 8.7.0 ≤ 8.7.0 8.6.0 ≤ 8.6.0 8.5.0 ≤ 8.5.0 8.4.0 ≤ 8.4.0 8.3.0 ≤ 8.3.0 8.2.1 ≤ 8.2.1 8.2.0 ≤ 8.2.0 8.1.2 ≤ 8.1.2 8.1.1 ≤ 8.1.1 8.1.0 ≤ 8.1.0 8.0.1 ≤ 8.0.1 8.0.0 ≤ 8.0.0 7.88.1 ≤ 7.88.1 7.88.0 ≤ 7.88.0 7.87.0 ≤ 7.87.0 7.86.0 ≤ 7.86.0 7.85.0 ≤ 7.85.0 7.84.0 ≤ 7.84.0 7.83.1 ≤ 7.83.1 7.83.0 ≤ 7.83.0 7.82.0 ≤ 7.82.0 7.81.0 ≤ 7.81.0 7.80.0 ≤ 7.80.0 7.79.1 ≤ 7.79.1 7.79.0 ≤ 7.79.0 7.78.0 ≤ 7.78.0 7.77.0 ≤ 7.77.0 7.76.1 ≤ 7.76.1 7.76.0 ≤ 7.76.0 7.75.0 ≤ 7.75.0 7.74.0 ≤ 7.74.0 7.73.0 ≤ 7.73.0 7.72.0 ≤ 7.72.0 7.71.1 ≤ 7.71.1 7.71.0 ≤ 7.71.0 7.70.0 ≤ 7.70.0 7.69.1 ≤ 7.69.1 7.69.0 ≤ 7.69.0 7.68.0 ≤ 7.68.0 7.67.0 ≤ 7.67.0 7.66.0 ≤ 7.66.0 7.65.3 ≤ 7.65.3 7.65.2 ≤ 7.65.2 7.65.1 ≤ 7.65.1 7.65.0 ≤ 7.65.0 7.64.1 ≤ 7.64.1 7.64.0 ≤ 7.64.0 7.63.0 ≤ 7.63.0 7.62.0 ≤ 7.62.0 7.61.1 ≤ 7.61.1 7.61.0 ≤ 7.61.0 7.60.0 ≤ 7.60.0 7.59.0 ≤ 7.59.0 7.58.0 ≤ 7.58.0 7.57.0 ≤ 7.57.0 7.56.1 ≤ 7.56.1 7.56.0 ≤ 7.56.0 7.55.1 ≤ 7.55.1 7.55.0 ≤ 7.55.0 7.54.1 ≤ 7.54.1 7.54.0 ≤ 7.54.0 7.53.1 ≤ 7.53.1 7.53.0 ≤ 7.53.0 7.52.1 ≤ 7.52.1 7.52.0 ≤ 7.52.0 7.51.0 ≤ 7.51.0 7.50.3 ≤ 7.50.3 7.50.2 ≤ 7.50.2 7.50.1 ≤ 7.50.1 7.50.0 ≤ 7.50.0 7.49.1 ≤ 7.49.1 7.49.0 ≤ 7.49.0 7.48.0 ≤ 7.48.0 7.47.1 ≤ 7.47.1 7.47.0 ≤ 7.47.0 7.46.0 ≤ 7.46.0 7.45.0 ≤ 7.45.0 7.44.0 ≤ 7.44.0 7.43.0 ≤ 7.43.0 7.42.1 ≤ 7.42.1 7.42.0 ≤ 7.42.0 7.41.0 ≤ 7.41.0 7.40.0 ≤ 7.40.0 7.39.0 ≤ 7.39.0 7.38.0 ≤ 7.38.0 7.37.1 ≤ 7.37.1 7.37.0 ≤ 7.37.0 7.36.0 ≤ 7.36.0 7.35.0 ≤ 7.35.0 7.34.0 ≤ 7.34.0 7.33.0 ≤ 7.33.0 7.32.0 ≤ 7.32.0 7.31.0 ≤ 7.31.0 7.30.0 ≤ 7.30.0 7.29.0 ≤ 7.29.0 7.28.1 ≤ 7.28.1 7.28.0 ≤ 7.28.0 7.27.0 ≤ 7.27.0 7.26.0 ≤ 7.26.0 7.25.0 ≤ 7.25.0 7.24.0 ≤ 7.24.0 7.23.1 ≤ 7.23.1 7.23.0 ≤ 7.23.0 7.22.0 ≤ 7.22.0 7.21.7 ≤ 7.21.7 7.21.6 ≤ 7.21.6 7.21.5 ≤ 7.21.5 7.21.4 ≤ 7.21.4 7.21.3 ≤ 7.21.3 7.21.2 ≤ 7.21.2 7.21.1 ≤ 7.21.1 7.21.0 ≤ 7.21.0 7.20.1 ≤ 7.20.1 7.20.0 ≤ 7.20.0 7.19.7 ≤ 7.19.7 7.19.6 ≤ 7.19.6 7.19.5 ≤ 7.19.5 7.19.4 ≤ 7.19.4 7.19.3 ≤ 7.19.3 7.19.2 ≤ 7.19.2 7.19.1 ≤ 7.19.1 7.19.0 ≤ 7.19.0 7.18.2 ≤ 7.18.2 7.18.1 ≤ 7.18.1 7.18.0 ≤ 7.18.0 7.17.1 ≤ 7.17.1 7.17.0 ≤ 7.17.0 7.16.4 ≤ 7.16.4 7.16.3 ≤ 7.16.3 7.16.2 ≤ 7.16.2 7.16.1 ≤ 7.16.1 7.16.0 ≤ 7.16.0 7.15.5 ≤ 7.15.5 7.15.4 ≤ 7.15.4 7.15.3 ≤ 7.15.3 7.15.2 ≤ 7.15.2 7.15.1 ≤ 7.15.1 7.15.0 ≤ 7.15.0 7.14.1 ≤ 7.14.1 7.14.0 ≤ 7.14.0 7.13.2 ≤ 7.13.2 7.13.1 ≤ 7.13.1 7.13.0 ≤ 7.13.0 7.12.3 ≤ 7.12.3 7.12.2 ≤ 7.12.2 7.12.1 ≤ 7.12.1 7.12.0 ≤ 7.12.0 7.11.2 ≤ 7.11.2 7.11.1 ≤ 7.11.1 7.11.0 ≤ 7.11.0 7.10.8 ≤ 7.10.8 7.10.7 ≤ 7.10.7 7.10.6 ≤ 7.10.6 7.10.5 ≤ 7.10.5 7.10.4 ≤ 7.10.4 7.10.3 ≤ 7.10.3 7.10.2 ≤ 7.10.2 7.10.1 ≤ 7.10.1 7.10 ≤ 7.10 7.9.8 ≤ 7.9.8 7.9.7 ≤ 7.9.7 7.9.6 ≤ 7.9.6 7.9.5 ≤ 7.9.5 7.9.4 ≤ 7.9.4 7.9.3 ≤ 7.9.3 7.9.2 ≤ 7.9.2 7.9.1 ≤ 7.9.1 7.9 ≤ 7.9 7.8.1 ≤ 7.8.1 7.8 ≤ 7.8 7.7.3 ≤ 7.7.3 7.7.2 ≤ 7.7.2 7.7.1 ≤ 7.7.1 7.7 ≤ 7.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

curl.se: https://curl.se/docs/CVE-2026-3784.json curl.se: https://curl.se/docs/CVE-2026-3784.html hackerone.com: https://hackerone.com/reports/3584903 openwall.com: http://www.openwall.com/lists/oss-security/2026/03/11/3

Credits

Muhamad Arga Reksapati (HackerOne: nobcoder) Stefan Eissing