CVE-2026-6276
stale custom cookie host causes cookie leak
Project curl Security Advisory, April 29 2026 Permalink
VULNERABILITY
Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for
the first host in the second request. Leak them.
INFO
Setting a custom Host: header is mostly done for debugging purposes when doing clear text HTTP transfers. When using HTTPS, setting a custom hostname like this is not enough for asking for a specific virtual host since then the SNI also needs to be correct. This condition reduces the
impact of this flaw, and is probably a contributing factor why no one else found it before this.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-6276 to this issue.
CWE-346: Origin Validation Error
Severity: Low
AFFECTED VERSIONS
- Affected versions: from curl 7.71.0 to and including 8.19.0
- Not affected versions: curl < 7.71.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/e15e51384a423be3131
libcurl is used by many applications, but not always advertised as such!
This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.
This flaw does not affect the curl command line tool.
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade to curl and libcurl 8.20.0
B - Apply the patch and rebuild libcurl
C - Avoid using custom Host: headers
TIMELINE
It was reported to the curl project on April 14th 2026. We contacted distros@openwall on April 23.
libcurl 8.20.0 was released on April 29th 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Muhamad Arga Reksapati
- Patched-by: Daniel Stenberg
Thanks a lot!