stale proxy password leak
=========================

Project curl Security Advisory, June 24 2026
[Permalink](https://curl.se/docs/CVE-2026-9079.html)

VULNERABILITY
-------------

libcurl had a flaw that when instructed to clear proxy authentication
credentials which made it not do so, leaving the old credentials around to get
used for subsequent tranfers that should not know nor use them.

INFO
----

This bug is **not** considered a *C mistake* (likely to have been avoided had
we not been using C).

This flaw does not affect the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-9079 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Medium

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.8.0 to and including 8.20.0
- Not affected versions: curl < 8.8.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/d5e83eb745762f48d8f

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/88c7e16cceec816a2df45c89

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl and libcurl to version 8.21.0

 B - Apply the patch to your version and rebuild

 C - Avoid reusing handles when changing proxy credentials

TIMELINE
---------

This issue was reported to the curl project on May 20, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of
this advisory.

CREDITS
-------

XlabAI Team of Tencent Xuanwu Lab

- Reported-by: Guannan Wang
- Reported-by: Zhanpeng Liu
- Reported-by: Jiashuo Liang
- Reported-by: Guancheng Li
- Patched-by: Daniel Stenberg

Thanks a lot!