Authentication Bypass in Curl Affects Multiple Users
CVE-2026-8926
Currently unrated
What is CVE-2026-8926?
A vulnerability exists in Curl where the program may improperly utilize credentials stored in a .netrc file. When a user specifies a URL with a username but without a password, Curl can retrieve and use a password that belongs to a different user if one is configured for that hostname in the same .netrc file. This could lead to unauthorized access, as the credentials may not match the intended user, potentially compromising sensitive data.
Affected Version(s)
curl 8.20.0
curl 8.19.0
curl 8.18.0
