TLS Misconfiguration in cURL Affecting Secure Connections
CVE-2026-4873

Currently unrated

Key Information:

Vendor

Curl

Status
Curl
Vendor
CVE Published:
13 May 2026

What is CVE-2026-4873?

A misconfiguration in cURL exists where connections requiring TLS can inadvertently reuse an existing unencrypted connection from the same pool. This means that if an initial data transfer is performed in clear text using protocols such as IMAP, SMTP, or POP3, subsequent requests to the same host might bypass TLS protections entirely, resulting in unencrypted transmission of sensitive data. This vulnerability can expose data to eavesdropping, undermining the confidentiality of information sent over what should be a secure connection.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-4873.json
https://curl.se/docs/CVE-2026-4873.html
https://hackerone.com/reports/3621851

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Arkadi Vainbrand
Daniel Stenberg
.