incomplete mTLS config matching in conn reuse ============================================= Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-8932.html) VULNERABILITY ------------- libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key. INFO ---- This flaw is similar to [CVE-2022-27782](https://curl.se/docs/CVE-2022-27782.html). This bug is **not** considered a *C mistake* (likely to have been avoided had we not been using C). This flaw does not affect the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8932 to this issue. CWE-305: Authentication Bypass by Primary Weakness Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.7 to and including 8.20.0 - Not affected versions: curl < 7.7 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b0 libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/7541ae569d82fb308a5e2d94 RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.21.0 B - Apply the patch to your version and rebuild C - Avoid reusing handles when changing client cert details TIMELINE --------- This issue was reported to the curl project on May 13, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Joshua Rogers (Aisle Research) - Patched-by: Joshua Rogers (Aisle Research) Thanks a lot!