{ "schema_version": "1.5.0", "id": "CURL-CVE-2026-6276", "aliases": [ "CVE-2026-6276" ], "summary": "stale custom cookie host causes cookie leak", "modified": "2026-04-29T09:56:23.00Z", "database_specific": { "package": "curl", "affects": "lib", "URL": "https://curl.se/docs/CVE-2026-6276.json", "www": "https://curl.se/docs/CVE-2026-6276.html", "issue": "https://hackerone.com/reports/3671818", "CWE": { "id": "CWE-346", "desc": "Origin Validation Error" }, "last_affected": "8.19.0", "severity": "Low" }, "published": "2026-04-29T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "7.71.0"}, {"fixed": "8.20.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "e15e51384a423be31318b3c9c7d612a1aae661fd"}, {"fixed": "3a19987a87f393d9394fe5acc7643f6c263c92db"} ] } ], "versions": [ "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", "8.10.0", "8.9.1", "8.9.0", "8.8.0", "8.7.1", "8.7.0", "8.6.0", "8.5.0", "8.4.0", "8.3.0", "8.2.1", "8.2.0", "8.1.2", "8.1.1", "8.1.0", "8.0.1", "8.0.0", "7.88.1", "7.88.0", "7.87.0", "7.86.0", "7.85.0", "7.84.0", "7.83.1", "7.83.0", "7.82.0", "7.81.0", "7.80.0", "7.79.1", "7.79.0", "7.78.0", "7.77.0", "7.76.1", "7.76.0", "7.75.0", "7.74.0", "7.73.0", "7.72.0", "7.71.1", "7.71.0" ] } ], "credits": [ { "name": "Muhamad Arga Reksapati", "type": "FINDER" }, { "name": "Daniel Stenberg", "type": "REMEDIATION_DEVELOPER" } ], "details": "Using libcurl, when a custom `Host:` header is first set for an HTTP request\nand a second request is subsequently done using the same *easy handle* but\nwithout the custom `Host:` header set, the second request would use stale\ninformation and pass on cookies meant for the first host in the second\nrequest. Leak them." }