curl / Docs / curl CVEs / token leak with redirect and netrc

CVE-2026-3783

token leak with redirect and netrc

Project curl Security Advisory, March 11th 2026 Permalink

VULNERABILITY

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.

If the hostname that the first request is redirected to has information in the used .netrc file, with either of the machine or default keywords, curl would pass on the bearer token set for the first host also to the second one.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-3783 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Medium

AFFECTED VERSIONS

Affected versions: curl 7.33.0 to and including 8.18.0
Not affected versions: curl < 7.33.0 and >= 8.19.0
Introduced-in: https://github.com/curl/curl/commit/06c1bea72faabb6fad4b7ef8

libcurl is used by many applications, but not always advertised as such!

This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.

This flaw also affects the curl command line tool.

SOLUTION

curl 8.19.0 fixes this flaw

Fixed-in: https://github.com/curl/curl/commit/e3d7401a32a46516c9e5ee877

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to curl and libcurl 8.19.0

B - Apply the patch and rebuild libcurl

C - Avoid using Bearer tokens with redirects

TIMELINE

It was reported to the curl project on March 3rd 2026. We contacted distros@openwall on March 8.

libcurl 8.19.0 was released on March 11th 2026, coordinated with the publication of this advisory.

CREDITS

Reported-by: spectreglobalsec on hackerone
Patched-by: Daniel Stenberg

Thanks a lot!