env-set cross-proxy Digest auth state leak ========================================== Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-8927.html) VULNERABILITY ------------- When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`. INFO ---- An evil `proxyB` could use this incoming request header field to impersonate the client in communicating with `proxyA`, as the header contains the authenticated state. There is nothing in the request details passed to `proxyB` that reveal the name or the address of `proxyA`, which mitigates this problem. This flaw is almost identical to [CVE-2026-7168](https://curl.se/docs/CVE-2026-7168.html). The difference lies primarily in how the proxy is selected. This bug is **not** considered a *C mistake* (likely to have been avoided had we not been using C). This flaw does not affect the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8927 to this issue. CWE-294: Authentication Bypass by Capture-replay Severity: Medium AFFECTED VERSIONS ----------------- - Affected versions: curl 7.12.0 to and including 8.20.0 - Not affected versions: curl < 7.12.0 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/fc6eff13b5414caf6edf libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/5c225384b8d52c6 RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.21.0 B - Apply the patch to your version and rebuild C - Avoid reusing handles when changing proxies TIMELINE --------- This issue was reported to the curl project on May 18, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Ady Elouej - Patched-by: Daniel Stenberg Thanks a lot!