Authorization Header Mismanagement in libcurl Affects Multiple Hosts
CVE-2026-11856
Currently unrated
What is CVE-2026-11856?
A flaw in libcurl allows an attacker to exploit the Authorization header during HTTP transfers. When using Digest authentication, if a user performs a transfer to one origin ('hostA') and subsequently transfers to a different origin ('hostB') using the same handle, libcurl incorrectly transmits the Authorization header intended for 'hostA' to 'hostB'. This can lead to unauthorized access and information leakage, risking sensitive data exposure.
Affected Version(s)
curl 8.20.0
curl 8.19.0
curl 8.18.0
