CVE-2026-3784

wrong proxy connection reuse with credentials

Project curl Security Advisory, March 11th 2026 Permalink

VULNERABILITY

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-3784 to this issue.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Low

AFFECTED VERSIONS

• Affected versions: curl 7.7 to and including 8.18.0
• Not affected versions: curl < 7.7 and >= 8.19.0
• Introduced-in: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b

libcurl is used by many applications, but not always advertised as such!

This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.

This flaw also affects the curl command line tool.

SOLUTION

curl 8.19.0 fixes this flaw

• Fixed-in: https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to curl and libcurl 8.19.0

B - Apply the patch and rebuild libcurl

C - Avoid using HTTP proxy with alternating credentials

TIMELINE

It was reported to the curl project on March 4th 2026. We contacted distros@openwall on March 8.

libcurl 8.19.0 was released on March 11th 2026, coordinated with the publication of this advisory.

CREDITS

• Reported-by: Muhamad Arga Reksapati (HackerOne: nobcoder)
• Patched-by: Stefan Eissing

Thanks a lot!