CVE-2026-12064

proto-default skips SSH verification

Project curl Security Advisory, June 24 2026 Permalink

VULNERABILITY

When a user invokes curl using a schemeless URL combined with --proto-default sftp (or scp), a disconnect occurs between the tool layer and libcurl. The tool layer incorrectly infers the URL scheme, which erroneously bypasses the initialization of critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the libcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes the connection via SFTP/SCP as specified. Because the tool layer skipped the security configuration, these SSH host verification options are silently omitted, causing curl to connect to an unverified SSH remote host without throwing an error.

INFO

This bug is not considered a C mistake (likely to have been avoided had we not been using C).

This flaw only affects the curl command line tool, not other users of libcurl or the libcurl library itself.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-12064 to this issue.

CWE-297: Improper Validation of Certificate with Host Mismatch

Severity: Low

AFFECTED VERSIONS

• Affected versions: curl 7.81.0 to and including 8.20.0
• Not affected versions: curl < 7.81.0 and >= 8.21.0
• Introduced-in: https://github.com/curl/curl/18270893abdb19f0ca170c118f8a

SOLUTION

• Fixed-in: https://github.com/curl/curl/commit/ab3bb8cd8be8f9d4acb97da041

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade curl and libcurl to version 8.21.0

B - Apply the patch to your version and rebuild

C - Avoid using --proto-default for scp or sftp

TIMELINE

This issue was reported to the curl project on June 12, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.

CREDITS

• Reported-by: alienowo on hackerone (AntAISecurityLab)
• Patched-by: Daniel Stenberg

Thanks a lot!