proto-default skips SSH verification ==================================== Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-12064.html) VULNERABILITY ------------- When a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error. INFO ---- This bug is **not** considered a *C mistake* (likely to have been avoided had we not been using C). This flaw only affects the curl command line tool, not other users of libcurl or the libcurl library itself. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-12064 to this issue. CWE-297: Improper Validation of Certificate with Host Mismatch Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.81.0 to and including 8.20.0 - Not affected versions: curl < 7.81.0 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/18270893abdb19f0ca170c118f8a SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/ab3bb8cd8be8f9d4acb97da041 RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.21.0 B - Apply the patch to your version and rebuild C - Avoid using `--proto-default` for scp or sftp TIMELINE --------- This issue was reported to the curl project on June 12, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: alienowo on hackerone (AntAISecurityLab) - Patched-by: Daniel Stenberg Thanks a lot!