Information Leakage in libcurl for HTTP Requests
CVE-2026-6276

Currently unrated

Key Information:

Vendor

Curl

Status
Curl
Vendor
CVE Published:
13 May 2026

What is CVE-2026-6276?

A significant issue exists in libcurl where the improper handling of the 'Host' header during HTTP requests can lead to unintended information leakage. Specifically, when a custom 'Host' header is set for an initial HTTP request, subsequent requests using the same easy handle without the custom header can mistakenly send cookies intended for the first request to the second host. This behavior can expose sensitive information across different domains, making the application vulnerable to data leaks. It's crucial for developers and security teams to apply the necessary patches and review their implementation of libcurl to mitigate these risks.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-6276.json
https://curl.se/docs/CVE-2026-6276.html
https://hackerone.com/reports/3671818

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhamad Arga Reksapati
Daniel Stenberg
.