cross-origin Digest auth state leak =================================== Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-11856.html) VULNERABILITY ------------- Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`. INFO ---- An evil `hostB` could use this incoming request header field to impersonate the client in communicating with `hostA`, as the header contains the authenticated state. There is nothing in the request details passed to `hostB` that reveal the name or the address of `hostA`, which mitigates this problem. Also, since the credentials are not exposed, a malicious actor can only repeat the single specific request for that exact path. This flaw is similar to [CVE-2026-7168](https://curl.se/docs/CVE-2026-7168.html) but for host authentication instead of proxy. This bug is **not** considered a *C mistake* (likely to have been avoided had we not been using C). This flaw does not affect the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-11856 to this issue. CWE-294: Authentication Bypass by Capture-replay Severity: Medium AFFECTED VERSIONS ----------------- - Affected versions: curl 7.10.6 to and including 8.20.0 - Not affected versions: curl < 7.10.6 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/334d78cd18a7310144383 libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/5c6b4880357ab3e72967c1c45c RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.21.0 B - Apply the patch to your version and rebuild C - Avoid reusing handles when changing origin TIMELINE --------- This issue was reported to the curl project on June 10, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: jjchuck on hackerone - Patched-by: Daniel Stenberg Thanks a lot!