{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-12064",
  "aliases": [
    "CVE-2026-12064"
  ],
  "summary": "proto-default skips SSH verification",
  "modified": "2026-06-24T07:56:56.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "tool",
    "URL": "https://curl.se/docs/CVE-2026-12064.json",
    "www": "https://curl.se/docs/CVE-2026-12064.html",
    "issue": "https://hackerone.com/reports/3797526",
    "CWE": {
      "id": "CWE-297",
      "desc": "Improper Validation of Certificate with Host Mismatch"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "7.81.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "18270893abdb19f0ca170c118f8a2847dbd304be"},
             {"fixed": "ab3bb8cd8be8f9d4acb97da0418abc279182041e"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", 
        "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", 
        "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", 
        "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "alienowo on hackerone (AntAISecurityLab)",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When a user invokes curl using a schemeless URL combined with\n`--proto-default` sftp (or scp), a disconnect occurs between the tool layer\nand libcurl. The tool layer incorrectly infers the URL scheme, which\nerroneously bypasses the initialization of critical SSH security options like\nCURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the\nlibcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes\nthe connection via SFTP/SCP as specified. Because the tool layer skipped the\nsecurity configuration, these SSH host verification options are silently\nomitted, causing curl to connect to an unverified SSH remote host without\nthrowing an error."
}