Vulnerability in libcurl affecting SCP and SFTP connections
CVE-2026-9547

Currently unrated

Key Information:

Vendor

Curl

Status
Vendor
CVE Published:
3 July 2026

What is CVE-2026-9547?

A security vulnerability exists in libcurl when handling connections over SCP and SFTP protocols. It occurs due to the mishandling of server host key types that do not match the expected keys stored in the known_hosts file. This flaw allows a libcurl-based application to connect to an untrusted server without raising an alert, potentially exposing users to man-in-the-middle attacks. Proper validation mechanisms are essential to prevent unauthorized access and protect data integrity during file transfers.

Affected Version(s)

curl 8.20.0

curl 8.19.0

curl 8.18.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joshua Rogers (Aisle Research)
Joshua Rogers (Aisle Research)
.