wrong reuse for different services ================================== Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-8458.html) VULNERABILITY ------------- libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different "services". libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services. INFO ---- The intended service to use for Negotiate is set with CURLOPT_SERVICE_NAME or CURLOPT_PROXY_SERVICE_NAME. This flaw still only triggers while using the same hostname, port number and credentials and the previous conneciton is still found alive in the connection pool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8458 to this issue. This flaw is similar to [CVE-2026-5545](CVE-2026-5545.md). CWE-488: Exposure of Data Element to Wrong Session Severity: Low AFFECTED VERSIONS ----------------- This flaw has existed since curl started to support setting the service name for Negotiate. - Affected versions: from curl 7.43.0 to and including 8.20.0 - Not affected versions: curl < 7.43.0 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/97c272e5d173ad5f706 libcurl is used by many applications, but not always advertised as such! This bug is not considered a *C mistake*. It is not likely to have been avoided had we not been using C. This flaw **does not** affect the curl command line tool. SOLUTION -------- curl 8.21.0 makes sure that connection reuse take the service name into account. - Fixed-in: https://github.com/curl/curl/commit/5e99b73cf441d9c369768b9cd RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade to curl and libcurl 8.21.0 B - Apply the patch and rebuild libcurl C - Avoid using HTTP Negotiate in your application TIMELINE --------- It was reported to the curl project on May 8 2026. We contacted distros@openwall on June XX 2026. libcurl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Muhamad Arga Reksapati - Patched-by: Stefan Eissing Thanks a lot!