SSH Host Verification Bypass in curl Tool by curl Vendor
CVE-2026-12064

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-12064?

A significant vulnerability in the curl tool allows malicious actors to exploit schemeless URLs with the --proto-default option set to SFTP or SCP. This flaw arises when the tool layer misinterprets the URL scheme, which leads to the omission of vital SSH security options such as CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Consequently, curl can establish connections to unverified SSH hosts without triggering any errors, thereby exposing users to potential security threats. Proper verification of SSH host keys is essential for maintaining the integrity and confidentiality of data transmitted over secure channels.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

alienowo on hackerone (AntAISecurityLab)
Daniel Stenberg
.