Authorization Header Mismanagement in libcurl Affects Multiple Hosts
CVE-2026-11856

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-11856?

A flaw in libcurl allows an attacker to exploit the Authorization header during HTTP transfers. When using Digest authentication, if a user performs a transfer to one origin ('hostA') and subsequently transfers to a different origin ('hostB') using the same handle, libcurl incorrectly transmits the Authorization header intended for 'hostA' to 'hostB'. This can lead to unauthorized access and information leakage, risking sensitive data exposure.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

jjchuck on hackerone
Daniel Stenberg
.