Libcurl HTTP Password Leak Vulnerability in Curl Software
CVE-2026-6429

Currently unrated

Key Information:

Vendor: Curl
Status: Curl
Vendor: CVE Published:; 13 May 2026

What is CVE-2026-6429?

A vulnerability in libcurl occurs when it is instructed to use a .netrc file for storing credentials while simultaneously following HTTP redirects. Under specific conditions, this flaw can lead to the unintended leakage of the user's password from the first host to the subsequent host that is redirected to, potentially compromising sensitive information. It is essential for users of this software to be aware of these implications and to apply necessary mitigations.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-6429.json

https://curl.se/docs/CVE-2026-6429.html

https://hackerone.com/reports/3677759

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Muhamad Arga Reksapati

Daniel Stenberg

CVE-2026-6429 Data

JSON