CVE-2026-8927 in cURLinfo

Summary

by MITRE • 07/03/2026

When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/04/2026

This vulnerability represents a critical authentication bypass flaw in libcurl's handling of proxy credentials during sequential transfers. The issue manifests when applications reuse curl handles while relying on environment variable proxy configurations, creating a state persistence problem that violates fundamental security principles of credential isolation. When the first transfer authenticates with proxyA using digest authentication, the library retains authentication state information that should be cleared before initiating subsequent connections through different proxies. This behavior creates a direct pathway for unauthorized access where credentials intended for one proxy system inadvertently propagate to another, effectively enabling privilege escalation across network boundaries.

The technical root cause stems from improper state management within libcurl's internal proxy authentication mechanisms. According to CWE-284, this vulnerability maps directly to inadequate access control implementation where the software fails to properly clear or reset authentication contexts between separate proxy connections. The flaw operates at the application layer protocol handling level, specifically affecting HTTP proxy authentication flows where digest authentication tokens are cached and reused without proper context validation. When environment variables define different proxy configurations for different requests, the library should ensure complete credential isolation between proxy sessions but instead maintains stale authentication headers.

From an operational impact perspective, this vulnerability creates significant risk exposure for organizations relying on proxy-based network access control. Attackers could exploit this weakness to gain unauthorized access to internal resources by leveraging cached proxy credentials from previous authenticated connections. The vulnerability affects any application using libcurl with environment variable proxy configurations and sequential transfers through different proxy servers, making it particularly dangerous in enterprise environments where multiple proxy systems are commonly deployed. Network security monitoring may not detect this attack vector since the traffic appears legitimate, as it simply reuses valid authentication headers that were properly established for the first connection.

The mitigation approach requires implementing proper state clearing between proxy connections when using reusable curl handles. Organizations should ensure that curl handles are either properly reset between transfers or new handles are created for different proxy configurations. According to ATT&CK framework tactic TA0006 (Credential Access), this vulnerability represents a technique where adversaries leverage credential caching mechanisms to maintain access across multiple systems. Security teams should implement monitoring for unexpected Proxy-Authorization header propagation and consider updating libcurl versions that address this specific state management issue. Additionally, applications should explicitly configure proxy settings per request rather than relying on environment variables when sequential transfers through different proxies are required, thereby eliminating the conditions that trigger this vulnerability.

Responsible

Curl

Reservation

05/19/2026

Disclosure

07/03/2026

Moderation

accepted

CPE

ready

EPSS

0.00250

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!