Authentication Bypass in Curl Affects Multiple Users
CVE-2026-8926

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-8926?

A vulnerability exists in Curl where the program may improperly utilize credentials stored in a .netrc file. When a user specifies a URL with a username but without a password, Curl can retrieve and use a password that belongs to a different user if one is configured for that hostname in the same .netrc file. This could lead to unauthorized access, as the credentials may not match the intended user, potentially compromising sensitive data.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joshua Rogers (Aisle Research)
Stefan Eissing
.