CVE-2026-11856
cross-origin Digest auth state leak
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
Successfully using libcurl to do a transfer to a specific HTTP origin (hostA) with Digest authentication and then changing the origin to a different one (hostB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the
Authorization: header field meant for hostA, to hostB.
INFO
An evil hostB could use this incoming request header field to impersonate the client in communicating with hostA, as the header contains the authenticated state.
There is nothing in the request details passed to hostB that reveal the name or the address of hostA, which mitigates this problem. Also, since the credentials are not exposed, a malicious actor can only repeat the single specific request for that exact path.
This flaw is similar to CVE-2026-7168 but for host authentication instead of proxy.
This bug is not considered a C mistake (likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-11856 to this issue.
CWE-294: Authentication Bypass by Capture-replay
Severity: Medium
AFFECTED VERSIONS
- Affected versions: curl 7.10.6 to and including 8.20.0
- Not affected versions: curl < 7.10.6 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/334d78cd18a7310144383
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Avoid reusing handles when changing origin
TIMELINE
This issue was reported to the curl project on June 10, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: jjchuck on hackerone
- Patched-by: Daniel Stenberg
Thanks a lot!