libcurl Vulnerability in Connection Reuse for Authenticated Requests
CVE-2026-5545

Currently unrated

Key Information:

Vendor

Curl

Status
Curl
Vendor
CVE Published:
13 May 2026

What is CVE-2026-5545?

libcurl experiences a logic error related to connection reuse when handling authenticated HTTP(S) requests. In scenarios where an application first authenticates using Negotiate with one set of credentials (e.g., user1:password1) and then attempts a subsequent connection with a different set of credentials (e.g., user2:password2) for the same host, the library may incorrectly reuse the original connection. This can lead to unintended credential mixing, where the second request erroneously uses the first user's credentials, compromising security and potentially exposing sensitive information. It is crucial for users of libcurl to ensure they are aware of this flaw and implement necessary mitigations.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-5545.json
https://curl.se/docs/CVE-2026-5545.html
https://hackerone.com/reports/3642555

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Quac Tran and Ngoc Hieu
Stefan Eissing
.