Connection Reuse Vulnerability in libcurl for Negotiate Authentication
CVE-2026-1965

6.5MEDIUM

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-1965?

The libcurl library has a vulnerability that can lead to the incorrect reuse of connections during Negotiate-authenticated HTTP or HTTPS requests. This issue arises when an application authenticates to a server using one set of credentials, then subsequently attempts to connect to the same server with a different set of credentials. Due to a flaw in the connection reuse logic, the initial connection may be reused instead of establishing a new, authenticated session. This can result in sensitive data being sent with the wrong credentials, posing a security risk. Applications can mitigate this problem by adjusting the connection reuse settings in libcurl using specific options.

Affected Version(s)

curl 8.18.0

curl 8.17.0

curl 8.16.0

References

https://curl.se/docs/CVE-2026-1965.json

https://curl.se/docs/CVE-2026-1965.html

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Feb 5, 2026

Credit

Zhicheng Chen

Daniel Stenberg

CVE-2026-1965 Data

JSON

Curl

What is CVE-2026-1965?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit