sending old referer
===================

Project curl Security Advisory, June 24 2026
[Permalink](https://curl.se/docs/CVE-2026-9546.html)

VULNERABILITY
-------------

A vulnerability in libcurl caused the HTTP `Referer:` header to persist even
when explicitly cleared. While the documentation states that passing NULL to
`CURLOPT_REFERER` suppresses the header, the option failed to clear the
internal state. As a result, the previous referrer string was erroneously
reused and sent in subsequent requests, potentially leaking sensitive
information to unintended servers.

INFO
----

This bug is not considered a *C mistake* (not likely to have been avoided had
we not been using C).

This flaw does not affect the curl command line tool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-9546 to this issue.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 8.18.0 to and including 8.20.0
- Not affected versions: curl < 8.18.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/2cb868242dc2ac9cd5

libcurl is used by many applications, but not always advertised as such!

SOLUTION
------------

- Fixed-in: https://github.com/curl/curl/commit/862e8a74a84478d82973471

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade curl and libcurl to version 8.21.0

 B - Apply the patch to your version and rebuild

 C - Avoid using `CURLOPT_REFERER`

TIMELINE
---------

This issue was reported to the curl project on May 22, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of
this advisory.

CREDITS
-------

- Reported-by: renjian on hackerone
- Patched-by: Daniel Stenberg

Thanks a lot!