OAuth2 Token Leakage in Curl during HTTP(S) Transfers
CVE-2026-3783

5.3MEDIUM

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-3783?

A vulnerability exists in Curl where OAuth2 bearer tokens can be inadvertently exposed during HTTP(S) transfers if a redirect occurs. When a request is redirected to a second URL, the bearer token from the initial request can be leaked to the new hostname under certain conditions. Specifically, if the destination hostname is listed in the .netrc file of the user with relevant machine or default keywords, Curl incorrectly sends the bearer token intended for the first host to the second host, potentially compromising sensitive authentication information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

curl 8.18.0

curl 8.17.0

curl 8.16.0

References

https://curl.se/docs/CVE-2026-3783.json

https://curl.se/docs/CVE-2026-3783.html

https://hackerone.com/reports/3583983

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 8, 2026

Credit

spectreglobalsec on hackerone

Daniel Stenberg

JSON

Curl

What is CVE-2026-3783?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.