SSH improper host validation ============================ Project curl Security Advisory, June 24 2026 [Permalink](https://curl.se/docs/CVE-2026-9547.html) VULNERABILITY ------------- When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack. INFO ---- This bug is only present when curl is built with the libssh backend. The same bug does not exist with libssh2. This bug is not considered a *C mistake* (not likely to have been avoided had we not been using C). This flaw does not affect the curl command line tool. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-9547 to this issue. CWE-297: Improper Validation of Certificate with Host Mismatch Severity: Low AFFECTED VERSIONS ----------------- - Affected versions: curl 7.69.0 to and including 8.20.0 - Not affected versions: curl < 7.69.0 and >= 8.21.0 - Introduced-in: https://github.com/curl/curl/commit/507cf6a13db0375eadd libcurl is used by many applications, but not always advertised as such! SOLUTION ------------ - Fixed-in: https://github.com/curl/curl/commit/0b8dbbc63c98777e4584cb9 RECOMMENDATIONS --------------- We suggest you take one of the following actions immediately, in order of preference: A - Upgrade curl and libcurl to version 8.21.0 B - Apply the patch to your version and rebuild C - build libcurl with libssh2 instead of libssh TIMELINE --------- This issue was reported to the curl project on May 20, 2026. curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory. CREDITS ------- - Reported-by: Joshua Rogers (Aisle Research) - Patched-by: Joshua Rogers (Aisle Research) Thanks a lot!