Improper SSL/TLS Verification in libcurl Affects Users with Insecure Connections
CVE-2026-9545

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-9545?

The libcurl library is susceptible to a vulnerability where an attacker can exploit the SSL session caching mechanism. When a user connects to an HTTP/3 server, the initial connection is established securely. However, if the same hostname is accessed a second time, and an attacker has replaced the original server with a fake one lacking a valid certificate, libcurl may send sensitive information before failing the certificate verification. This occurs due to the caching of the SSL session and the misuse of early data features, allowing potential exposure of sensitive data. Users are advised to review affected versions and apply necessary security updates.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eunsoo Kim (Autonomous Code Security team at Microsoft)
Stefan Eissing
.