OAuth2 Token Leakage in Curl during HTTP(S) Transfers
CVE-2026-3783

5.3MEDIUM

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-3783?

A vulnerability exists in Curl where OAuth2 bearer tokens can be inadvertently exposed during HTTP(S) transfers if a redirect occurs. When a request is redirected to a second URL, the bearer token from the initial request can be leaked to the new hostname under certain conditions. Specifically, if the destination hostname is listed in the .netrc file of the user with relevant machine or default keywords, Curl incorrectly sends the bearer token intended for the first host to the second host, potentially compromising sensitive authentication information.

Affected Version(s)

curl 8.18.0

curl 8.17.0

curl 8.16.0

References

https://curl.se/docs/CVE-2026-3783.json

https://curl.se/docs/CVE-2026-3783.html

https://hackerone.com/reports/3583983

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 8, 2026

Credit

spectreglobalsec on hackerone

Daniel Stenberg

CVE-2026-3783 Data

JSON