libcurl Vulnerability in HTTP Proxy Authentication Featuring Digest Credentials
CVE-2026-7168

Currently unrated

Key Information:

Vendor

Curl

Status
Curl
Vendor
CVE Published:
13 May 2026

What is CVE-2026-7168?

A flaw exists in libcurl that arises when transferring data over a specific HTTP proxy with Digest authentication. If a user successfully connects through one proxy (proxyA) and then switches to a second proxy (proxyB) using the same connection handle, libcurl incorrectly uses the Proxy-Authorization: header intended for proxyA during the request to proxyB. This mismanagement of header fields can lead to unauthorized access and exposure of sensitive information, thereby undermining the intended security of the proxy configuration.

Affected Version(s)

curl 8.19.0

curl 8.18.0

curl 8.17.0

References

https://curl.se/docs/CVE-2026-7168.json
https://curl.se/docs/CVE-2026-7168.html
https://hackerone.com/reports/3697719

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muhamad Arga Reksapati
Daniel Stenberg
.