password leak with netrc and user in URL
========================================

Project curl Security Advisory, June 24 2026
[Permalink](https://curl.se/docs/CVE-2026-8926.html)

VULNERABILITY
-------------

When asking curl to use a `.netrc` file to find credentials and at the same
time specifying a URL with a username (without a password), like
`https://user@example.com/`, curl could wrongly get and use the password for
*another* user set in the `.netrc` file for that host if such a one exists and
there is no match for the specified user.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-8926 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.11.1 to and including 8.20.0
- Not affected versions: curl < 8.11.1 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/e9b9bbac22c26cf67

libcurl is used by many applications, but not always advertised as such!

This bug is not considered a *C mistake*. It is not likely to have been
avoided had we not been using C.

This flaw is also accessible using the curl command line tool.

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/4ae1d7cc2643e47

RECOMMENDATIONS
--------------

 A - Upgrade curl to version 8.21.0

 B - Apply the patch to your local version

 C - Do not use netrc for authentication data

TIMELINE
--------

This issue was reported to the curl project on May 14, 2026. We contacted
distros@openwall on June XX, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: Joshua Rogers (Aisle Research)
- Patched-by: Stefan Eissing

Thanks a lot!