TLS Configuration Mismatch Vulnerability in cURL Software by curl.se
CVE-2026-8286

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-8286?

A vulnerability exists in cURL where the use of STARTTLS to upgrade a connection may inadvertently reuse an existing live connection, even if the TLS configuration settings are not compatible. This could lead to potential security risks if sensitive data is transmitted over an improperly secured channel. It is essential for users to ensure they are using the latest version to mitigate this issue.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrew Nesbitt (powered by Mythos)
Stefan Eissing
.