HTTP Header Persistence Vulnerability in libcurl by Curl
CVE-2026-9546
Currently unrated
What is CVE-2026-9546?
A flaw within libcurl allows the HTTP 'Referer:' header to persist improperly even after being explicitly cleared. Although the documentation claims that setting 'CURLOPT_REFERER' to NULL should suppress the header, it fails to reset the internal state managing the header. This oversight results in the unintentional reuse of previous referrer strings, which can lead to sensitive information being unintentionally exposed to other servers during subsequent requests. Developers utilizing libcurl should be wary of this issue, as it can significantly impact user privacy and data security.
Affected Version(s)
curl 8.20.0
curl 8.19.0
curl 8.18.0
