Native CA trust persist ======================= Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-11564.html) VULNERABILITY ------------- libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. An easy handle that first uses default native CA trust can continue trusting the native platform store after the application switches that same handle to custom CA material for a later transfer. INFO ---- The effect of this flaw can lead to curl accepting server TLS certificates as fine that would otherwise not be, since setting custom ones is often a way to narrow or limit the set that otherwise is deemed fine with the Native CA store. This issue applies to builds that use the "Native CA" by default, which can be done for Apple operating systems or Windows. This flaw exists when libcurl is built to use the OpenSSL, GnuTLS, Schannel or Rustls TLS backends. This bug is not considered a *C mistake* (not likely to have been avoided had we not been using C). This flaw does not affect the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-11564 to this issue. CWE-295: Improper Certificate Validation Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 8.17.0 to and including 8.20.0 - Not affected versions: curl < 8.17.0 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/eefd03c572996e5de4dec4fe libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/d69bfad3fa3daf5e72331f6870667 RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.21.0 B - Apply the patch to your version and rebuild C - Avoid re-using easy handles with different CA options TIMELINE --------- This issue was reported to the curl project on June 5, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Filipe Casal of Trail of Bits in collaboration with OpenAI - Patched-by: Stefan Eissing Thanks a lot!