OCSP Stapling Vulnerability in cURL Affecting Server Certificate Validation
CVE-2026-7009

Currently unrated

Key Information:

Vendor

Curl

Status
Curl
Vendor
CVE Published:
13 May 2026

What is CVE-2026-7009?

The vulnerability in cURL arises when the software uses the Certificate Status Request TLS extension, commonly known as OCSP stapling, for server certificate verification. In this scenario, cURL inadequately handles potential OCSP response errors, leading to a false sense of security regarding the validity of server certificates. This flaw permits attackers to exploit improper validation processes, potentially allowing malicious actors to misrepresent their identity and compromise secure communications. Users of cURL should be aware of this issue and take necessary precautions until a patch is applied.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-7009.json
https://curl.se/docs/CVE-2026-7009.html
https://hackerone.com/reports/3694390

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Carlos Carrillo
Stefan Eissing
.