HTTP Header Persistence Vulnerability in libcurl by Curl
CVE-2026-9546

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-9546?

A flaw within libcurl allows the HTTP 'Referer:' header to persist improperly even after being explicitly cleared. Although the documentation claims that setting 'CURLOPT_REFERER' to NULL should suppress the header, it fails to reset the internal state managing the header. This oversight results in the unintentional reuse of previous referrer strings, which can lead to sensitive information being unintentionally exposed to other servers during subsequent requests. Developers utilizing libcurl should be wary of this issue, as it can significantly impact user privacy and data security.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

renjian on hackerone
Daniel Stenberg
.