wrong proxy connection reuse with credentials =============================================
Project curl Security Advisory, March 11th 2026 [Permalink](https://curl.se/docs/CVE-2026-3784.html) VULNERABILITY ------------- curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. INFO ---- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-3784 to this issue. CWE-305: Authentication Bypass by Primary Weakness Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.7 to and including 8.18.0 - Not affected versions: curl < 7.7 and >= 8.19.0 - Introduced-in: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b libcurl is used by many applications, but not always advertised as such! This bug is not considered a *C mistake*. It is not likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. SOLUTION -------- curl 8.19.0 fixes this flaw - Fixed-in: https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3 RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 8.19.0 B - Apply the patch and rebuild libcurl C - Avoid using HTTP proxy with alternating credentials TIMELINE --------- It was reported to the curl project on March 4th 2026. We contacted distros@openwall on March 8. libcurl 8.19.0 was released on March 11th 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Muhamad Arga Reksapati (HackerOne: nobcoder) - Patched-by: Stefan Eissing Thanks a lot! -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
