CVE-2026-8924 in cURLinfo

Summary

by MITRE • 07/03/2026

A flaw in curl’s cookie parsing logic allows a malicious HTTP server to set 'super cookies' that bypass the Public Suffix List check. This enables an attacker-controlled origin to inject cookies that curl subsequently scopes and transmits to unrelated third-party domains.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability resides in curl's handling of HTTP cookies and represents a significant bypass of web browser security mechanisms designed to prevent cross-site tracking. The flaw specifically targets the Public Suffix List (PSL) validation process that normally prevents cookies from being set for domain suffixes like .com or .org, which could otherwise be exploited by attackers to place tracking cookies on arbitrary domains. When an attacker-controlled HTTP server sends a Set-Cookie header with a domain attribute that matches a public suffix, curl's cookie parsing logic fails to properly validate this against the PSL, allowing malicious cookies to be accepted and stored. This technical weakness stems from inadequate validation of domain scope parameters in cookie handling routines, creating a scenario where an attacker can craft cookies that appear to be scoped for legitimate domains while actually being set by malicious origins.

The operational impact of this vulnerability extends beyond simple tracking capabilities as it enables sophisticated attack vectors including session hijacking and cross-domain data exfiltration. An attacker who controls an HTTP server can manipulate curl applications to store cookies that will subsequently be transmitted to unrelated third-party domains, effectively creating what security researchers term "super cookies" that bypass standard browser security boundaries. These super cookies can contain sensitive information or authentication tokens that get transmitted across domain boundaries without proper scope enforcement, potentially exposing user sessions and personal data to unauthorized parties. The vulnerability affects any curl-based application that processes HTTP responses containing Set-Cookie headers, including web browsers using curl as their underlying HTTP engine, mobile applications, and server-side components that rely on curl for HTTP communication.

Security mitigations for this vulnerability must address the fundamental flaw in cookie validation logic while maintaining compatibility with legitimate use cases. Organizations should immediately update to curl versions that include patches addressing this specific PSL bypass issue, typically involving enhanced validation of domain attributes in Set-Cookie headers against the Public Suffix List database. System administrators should implement monitoring for unusual cookie behaviors and consider deploying additional network-level protections such as cookie filtering rules or web application firewalls that can detect and block suspicious cookie patterns. The vulnerability aligns with CWE-295 which covers "Improper Certificate Validation" and relates to ATT&CK technique T1566 for "Phishing" and T1071.004 for "Application Layer Protocol: DNS" as attackers may leverage this weakness in conjunction with other techniques to establish persistent access or conduct data exfiltration. Organizations should also review their curl-based applications for proper cookie handling implementation and ensure that domain validation is consistently enforced across all HTTP communication pathways, particularly those involving third-party integrations where the risk of malicious cookie injection is elevated.

Responsible

Curl

Reservation

05/19/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00219

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!