CVE-2026-7009

MEDIUM 5.3

OCSP stapling bypass with Apple SecTrust

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

1th

When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.

Vendor	curl
Product	curl
Published	May 13, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for curl curl

Be the first to know when new medium vulnerabilities affecting curl curl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

curl / curl

8.19.0 ≤ 8.19.0 8.18.0 ≤ 8.18.0 8.17.0 ≤ 8.17.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

curl.se: https://curl.se/docs/CVE-2026-7009.json curl.se: https://curl.se/docs/CVE-2026-7009.html hackerone.com: https://hackerone.com/reports/3694390 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/29/12

Credits

Carlos Carrillo Stefan Eissing