exposing HTTP/3 early data ========================== Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-9545.html) VULNERABILITY ------------- In this scenario, libcurl first uses a proper HTTP/3 server for the initial transfers, and when it makes a second transfer to the same site it has been replaced by the attacker's impostor machine - without a valid certificate. When libcurl returns to the hostname the second time with a cached SSL session (`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the `CURLSSLOPT_EARLYDATA` bit is set in`CURLOPT_SSL_OPTIONS`), libcurl might send off the second request's bytes on that new connection *before* enforcing the certificate verification failure. Potentially leaking sensitive information. INFO ---- This flaw is HTTP/3 specific (and only for the ngtcp2 + nghttp3 backend), which only is used for `HTTPS://` URLs. This bug is not considered a *C mistake* (not likely to have been avoided had we not been using C). This flaw also affects the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-9545 to this issue. CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 8.11.0 to and including 8.20.0 - Not affected versions: curl < 8.11.0 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/962097b8dd44ed5b9 libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/7b9613fa9b1a5e04301a39 RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.21.0 B - Apply the patch to your version and rebuild C - Avoid using TLS early data TIMELINE --------- This issue was reported to the curl project on May 19, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Eunsoo Kim - Patched-by: Stefan Eissing Thanks a lot!