wrong STARTTLS connection reuse =============================== Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-8286.html) VULNERABILITY ------------- A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not. INFO ---- For data transfers using URL schemes that start as cleartext but upgrade to TLS, the validation logic ensuring configuration consistency between transfers is not invoked. This affects `IMAP://`, `POP3://`, `SMTP://`, `FTP://`, and `LDAP://` schemes, potentially allowing connection reuse with mismatched TLS settings. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8286 to this issue. CWE-295: Improper Certificate Validation Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.30.0 to and including 8.20.0 - Not affected versions: curl < 7.30.0 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/a1701eea289fe7ea8065 STARTTLS support was introduced in curl via a number of separate commits for the different protocols. The specific commit mentioned above did not introduce the problem for all the protocols at once. libcurl is used by many applications, but not always advertised as such! This bug is not considered a *C mistake*. It is not likely to have been avoided had we not been using C. This flaw also affects the curl command line tool. SOLUTION -------- curl 8.21.0 fixes this logical flaw - Fixed-in: https://github.com/curl/curl/commit/a86efdd7ca5433de9231e6 RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 8.21.0 B - Apply the patch and rebuild libcurl C - Do not use clear-text IMAP/POP3/SMTP/FTP/LDAP transfers TIMELINE --------- It was reported to the curl project on May 6 2026. We contacted distros@openwall on June XX. libcurl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Andrew Nesbitt (powered by Mythos) - Patched-by: Stefan Eissing Thanks a lot!