Proxy Authentication Leak in libcurl Affects Multiple Network Transfers
CVE-2026-8927

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-8927?

A vulnerability in libcurl occurs when reusing a handle for sequential transfers with environment-variable proxy settings. The issue arises when authentication credentials for one proxy (proxyA using Digest authentication) are not cleared before a subsequent transfer through a different proxy (proxyB). This flaw leads to the unintentional exposure of sensitive Proxy-Authorization: headers, posing a risk of unauthorized access to proxies.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ady Elouej
Daniel Stenberg
.