CVE-2026-6253

MEDIUM 5.9

proxy credentials leak over redirect-to proxy

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

4th

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy

Vendor	curl
Product	curl
Published	May 13, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for curl curl

Be the first to know when new medium vulnerabilities affecting curl curl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

curl / curl

8.19.0 ≤ 8.19.0 8.18.0 ≤ 8.18.0 8.17.0 ≤ 8.17.0 8.16.0 ≤ 8.16.0 8.15.0 ≤ 8.15.0 8.14.1 ≤ 8.14.1 8.14.0 ≤ 8.14.0 8.13.0 ≤ 8.13.0 8.12.1 ≤ 8.12.1 8.12.0 ≤ 8.12.0 8.11.1 ≤ 8.11.1 8.11.0 ≤ 8.11.0 8.10.1 ≤ 8.10.1 8.10.0 ≤ 8.10.0 8.9.1 ≤ 8.9.1 8.9.0 ≤ 8.9.0 8.8.0 ≤ 8.8.0 8.7.1 ≤ 8.7.1 8.7.0 ≤ 8.7.0 8.6.0 ≤ 8.6.0 8.5.0 ≤ 8.5.0 8.4.0 ≤ 8.4.0 8.3.0 ≤ 8.3.0 8.2.1 ≤ 8.2.1 8.2.0 ≤ 8.2.0 8.1.2 ≤ 8.1.2 8.1.1 ≤ 8.1.1 8.1.0 ≤ 8.1.0 8.0.1 ≤ 8.0.1 8.0.0 ≤ 8.0.0 7.88.1 ≤ 7.88.1 7.88.0 ≤ 7.88.0 7.87.0 ≤ 7.87.0 7.86.0 ≤ 7.86.0 7.85.0 ≤ 7.85.0 7.84.0 ≤ 7.84.0 7.83.1 ≤ 7.83.1 7.83.0 ≤ 7.83.0 7.82.0 ≤ 7.82.0 7.81.0 ≤ 7.81.0 7.80.0 ≤ 7.80.0 7.79.1 ≤ 7.79.1 7.79.0 ≤ 7.79.0 7.78.0 ≤ 7.78.0 7.77.0 ≤ 7.77.0 7.76.1 ≤ 7.76.1 7.76.0 ≤ 7.76.0 7.75.0 ≤ 7.75.0 7.74.0 ≤ 7.74.0 7.73.0 ≤ 7.73.0 7.72.0 ≤ 7.72.0 7.71.1 ≤ 7.71.1 7.71.0 ≤ 7.71.0 7.70.0 ≤ 7.70.0 7.69.1 ≤ 7.69.1 7.69.0 ≤ 7.69.0 7.68.0 ≤ 7.68.0 7.67.0 ≤ 7.67.0 7.66.0 ≤ 7.66.0 7.65.3 ≤ 7.65.3 7.65.2 ≤ 7.65.2 7.65.1 ≤ 7.65.1 7.65.0 ≤ 7.65.0 7.64.1 ≤ 7.64.1 7.64.0 ≤ 7.64.0 7.63.0 ≤ 7.63.0 7.62.0 ≤ 7.62.0 7.61.1 ≤ 7.61.1 7.61.0 ≤ 7.61.0 7.60.0 ≤ 7.60.0 7.59.0 ≤ 7.59.0 7.58.0 ≤ 7.58.0 7.57.0 ≤ 7.57.0 7.56.1 ≤ 7.56.1 7.56.0 ≤ 7.56.0 7.55.1 ≤ 7.55.1 7.55.0 ≤ 7.55.0 7.54.1 ≤ 7.54.1 7.54.0 ≤ 7.54.0 7.53.1 ≤ 7.53.1 7.53.0 ≤ 7.53.0 7.52.1 ≤ 7.52.1 7.52.0 ≤ 7.52.0 7.51.0 ≤ 7.51.0 7.50.3 ≤ 7.50.3 7.50.2 ≤ 7.50.2 7.50.1 ≤ 7.50.1 7.50.0 ≤ 7.50.0 7.49.1 ≤ 7.49.1 7.49.0 ≤ 7.49.0 7.48.0 ≤ 7.48.0 7.47.1 ≤ 7.47.1 7.47.0 ≤ 7.47.0 7.46.0 ≤ 7.46.0 7.45.0 ≤ 7.45.0 7.44.0 ≤ 7.44.0 7.43.0 ≤ 7.43.0 7.42.1 ≤ 7.42.1 7.42.0 ≤ 7.42.0 7.41.0 ≤ 7.41.0 7.40.0 ≤ 7.40.0 7.39.0 ≤ 7.39.0 7.38.0 ≤ 7.38.0 7.37.1 ≤ 7.37.1 7.37.0 ≤ 7.37.0 7.36.0 ≤ 7.36.0 7.35.0 ≤ 7.35.0 7.34.0 ≤ 7.34.0 7.33.0 ≤ 7.33.0 7.32.0 ≤ 7.32.0 7.31.0 ≤ 7.31.0 7.30.0 ≤ 7.30.0 7.29.0 ≤ 7.29.0 7.28.1 ≤ 7.28.1 7.28.0 ≤ 7.28.0 7.27.0 ≤ 7.27.0 7.26.0 ≤ 7.26.0 7.25.0 ≤ 7.25.0 7.24.0 ≤ 7.24.0 7.23.1 ≤ 7.23.1 7.23.0 ≤ 7.23.0 7.22.0 ≤ 7.22.0 7.21.7 ≤ 7.21.7 7.21.6 ≤ 7.21.6 7.21.5 ≤ 7.21.5 7.21.4 ≤ 7.21.4 7.21.3 ≤ 7.21.3 7.21.2 ≤ 7.21.2 7.21.1 ≤ 7.21.1 7.21.0 ≤ 7.21.0 7.20.1 ≤ 7.20.1 7.20.0 ≤ 7.20.0 7.19.7 ≤ 7.19.7 7.19.6 ≤ 7.19.6 7.19.5 ≤ 7.19.5 7.19.4 ≤ 7.19.4 7.19.3 ≤ 7.19.3 7.19.2 ≤ 7.19.2 7.19.1 ≤ 7.19.1 7.19.0 ≤ 7.19.0 7.18.2 ≤ 7.18.2 7.18.1 ≤ 7.18.1 7.18.0 ≤ 7.18.0 7.17.1 ≤ 7.17.1 7.17.0 ≤ 7.17.0 7.16.4 ≤ 7.16.4 7.16.3 ≤ 7.16.3 7.16.2 ≤ 7.16.2 7.16.1 ≤ 7.16.1 7.16.0 ≤ 7.16.0 7.15.5 ≤ 7.15.5 7.15.4 ≤ 7.15.4 7.15.3 ≤ 7.15.3 7.15.2 ≤ 7.15.2 7.15.1 ≤ 7.15.1 7.15.0 ≤ 7.15.0 7.14.1 ≤ 7.14.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

curl.se: https://curl.se/docs/CVE-2026-6253.json curl.se: https://curl.se/docs/CVE-2026-6253.html hackerone.com: https://hackerone.com/reports/3669637 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/29/11

Credits

Dwij Mehta (O2 Lab Texas A&M University) Daniel Stenberg