🔐 CVE Alert

CVE-2026-8927

UNKNOWN 0.0

env-set cross-proxy Digest auth state leak

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.

Vendor curl
Product curl
Published Jul 3, 2026
Stay Ahead of the Next One

Get instant alerts for curl curl

Be the first to know when new unknown vulnerabilities affecting curl curl are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

curl / curl
8.20.0 ≤ 8.20.0 8.19.0 ≤ 8.19.0 8.18.0 ≤ 8.18.0 8.17.0 ≤ 8.17.0 8.16.0 ≤ 8.16.0 8.15.0 ≤ 8.15.0 8.14.1 ≤ 8.14.1 8.14.0 ≤ 8.14.0 8.13.0 ≤ 8.13.0 8.12.1 ≤ 8.12.1 8.12.0 ≤ 8.12.0 8.11.1 ≤ 8.11.1 8.11.0 ≤ 8.11.0 8.10.1 ≤ 8.10.1 8.10.0 ≤ 8.10.0 8.9.1 ≤ 8.9.1 8.9.0 ≤ 8.9.0 8.8.0 ≤ 8.8.0 8.7.1 ≤ 8.7.1 8.7.0 ≤ 8.7.0 8.6.0 ≤ 8.6.0 8.5.0 ≤ 8.5.0 8.4.0 ≤ 8.4.0 8.3.0 ≤ 8.3.0 8.2.1 ≤ 8.2.1 8.2.0 ≤ 8.2.0 8.1.2 ≤ 8.1.2 8.1.1 ≤ 8.1.1 8.1.0 ≤ 8.1.0 8.0.1 ≤ 8.0.1 8.0.0 ≤ 8.0.0 7.88.1 ≤ 7.88.1 7.88.0 ≤ 7.88.0 7.87.0 ≤ 7.87.0 7.86.0 ≤ 7.86.0 7.85.0 ≤ 7.85.0 7.84.0 ≤ 7.84.0 7.83.1 ≤ 7.83.1 7.83.0 ≤ 7.83.0 7.82.0 ≤ 7.82.0 7.81.0 ≤ 7.81.0 7.80.0 ≤ 7.80.0 7.79.1 ≤ 7.79.1 7.79.0 ≤ 7.79.0 7.78.0 ≤ 7.78.0 7.77.0 ≤ 7.77.0 7.76.1 ≤ 7.76.1 7.76.0 ≤ 7.76.0 7.75.0 ≤ 7.75.0 7.74.0 ≤ 7.74.0 7.73.0 ≤ 7.73.0 7.72.0 ≤ 7.72.0 7.71.1 ≤ 7.71.1 7.71.0 ≤ 7.71.0 7.70.0 ≤ 7.70.0 7.69.1 ≤ 7.69.1 7.69.0 ≤ 7.69.0 7.68.0 ≤ 7.68.0 7.67.0 ≤ 7.67.0 7.66.0 ≤ 7.66.0 7.65.3 ≤ 7.65.3 7.65.2 ≤ 7.65.2 7.65.1 ≤ 7.65.1 7.65.0 ≤ 7.65.0 7.64.1 ≤ 7.64.1 7.64.0 ≤ 7.64.0 7.63.0 ≤ 7.63.0 7.62.0 ≤ 7.62.0 7.61.1 ≤ 7.61.1 7.61.0 ≤ 7.61.0 7.60.0 ≤ 7.60.0 7.59.0 ≤ 7.59.0 7.58.0 ≤ 7.58.0 7.57.0 ≤ 7.57.0 7.56.1 ≤ 7.56.1 7.56.0 ≤ 7.56.0 7.55.1 ≤ 7.55.1 7.55.0 ≤ 7.55.0 7.54.1 ≤ 7.54.1 7.54.0 ≤ 7.54.0 7.53.1 ≤ 7.53.1 7.53.0 ≤ 7.53.0 7.52.1 ≤ 7.52.1 7.52.0 ≤ 7.52.0 7.51.0 ≤ 7.51.0 7.50.3 ≤ 7.50.3 7.50.2 ≤ 7.50.2 7.50.1 ≤ 7.50.1 7.50.0 ≤ 7.50.0 7.49.1 ≤ 7.49.1 7.49.0 ≤ 7.49.0 7.48.0 ≤ 7.48.0 7.47.1 ≤ 7.47.1 7.47.0 ≤ 7.47.0 7.46.0 ≤ 7.46.0 7.45.0 ≤ 7.45.0 7.44.0 ≤ 7.44.0 7.43.0 ≤ 7.43.0 7.42.1 ≤ 7.42.1 7.42.0 ≤ 7.42.0 7.41.0 ≤ 7.41.0 7.40.0 ≤ 7.40.0 7.39.0 ≤ 7.39.0 7.38.0 ≤ 7.38.0 7.37.1 ≤ 7.37.1 7.37.0 ≤ 7.37.0 7.36.0 ≤ 7.36.0 7.35.0 ≤ 7.35.0 7.34.0 ≤ 7.34.0 7.33.0 ≤ 7.33.0 7.32.0 ≤ 7.32.0 7.31.0 ≤ 7.31.0 7.30.0 ≤ 7.30.0 7.29.0 ≤ 7.29.0 7.28.1 ≤ 7.28.1 7.28.0 ≤ 7.28.0 7.27.0 ≤ 7.27.0 7.26.0 ≤ 7.26.0 7.25.0 ≤ 7.25.0 7.24.0 ≤ 7.24.0 7.23.1 ≤ 7.23.1 7.23.0 ≤ 7.23.0 7.22.0 ≤ 7.22.0 7.21.7 ≤ 7.21.7 7.21.6 ≤ 7.21.6 7.21.5 ≤ 7.21.5 7.21.4 ≤ 7.21.4 7.21.3 ≤ 7.21.3 7.21.2 ≤ 7.21.2 7.21.1 ≤ 7.21.1 7.21.0 ≤ 7.21.0 7.20.1 ≤ 7.20.1 7.20.0 ≤ 7.20.0 7.19.7 ≤ 7.19.7 7.19.6 ≤ 7.19.6 7.19.5 ≤ 7.19.5 7.19.4 ≤ 7.19.4 7.19.3 ≤ 7.19.3 7.19.2 ≤ 7.19.2 7.19.1 ≤ 7.19.1 7.19.0 ≤ 7.19.0 7.18.2 ≤ 7.18.2 7.18.1 ≤ 7.18.1 7.18.0 ≤ 7.18.0 7.17.1 ≤ 7.17.1 7.17.0 ≤ 7.17.0 7.16.4 ≤ 7.16.4 7.16.3 ≤ 7.16.3 7.16.2 ≤ 7.16.2 7.16.1 ≤ 7.16.1 7.16.0 ≤ 7.16.0 7.15.5 ≤ 7.15.5 7.15.4 ≤ 7.15.4 7.15.3 ≤ 7.15.3 7.15.2 ≤ 7.15.2 7.15.1 ≤ 7.15.1 7.15.0 ≤ 7.15.0 7.14.1 ≤ 7.14.1 7.14.0 ≤ 7.14.0 7.13.2 ≤ 7.13.2 7.13.1 ≤ 7.13.1 7.13.0 ≤ 7.13.0 7.12.3 ≤ 7.12.3 7.12.2 ≤ 7.12.2 7.12.1 ≤ 7.12.1 7.12.0 ≤ 7.12.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
curl.se: https://curl.se/docs/CVE-2026-8927.json curl.se: https://curl.se/docs/CVE-2026-8927.html hackerone.com: https://hackerone.com/reports/3744543

Credits

Ady Elouej Daniel Stenberg