Proxy Credentials Mismanagement in Curl Affects Network Communication
CVE-2026-6253

Currently unrated

Key Information:

Vendor

Curl

Status
Curl
Vendor
CVE Published:
13 May 2026

What is CVE-2026-6253?

The vulnerability in Curl arises when handling proxies with differing authentication requirements. Specifically, if Curl is configured to utilize different proxies for various URL schemes and the first proxy requires credentials while the second one does not, credentials meant for the first proxy may erroneously be passed to the second during a URL redirection. This mismanagement of proxy credentials can lead to unauthorized access to resources, putting sensitive data at risk.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-6253.json
https://curl.se/docs/CVE-2026-6253.html
https://hackerone.com/reports/3669637

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dwij Mehta (O2 Lab
Texas A&M University)
Daniel Stenberg
.