CVE-2026-6429
netrc credential leak with reused proxy connection
Project curl Security Advisory, April 29 2026 Permalink
VULNERABILITY
When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
INFO
To trigger, this flaw requires that both the original URL and the redirect URL are using clear text http:// URLs, that both are performed over the same HTTP proxy and that the same connection is reused.
Similar to CVE-2024-11053
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-6429 to this issue.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity: Medium
AFFECTED VERSIONS
- Affected versions: from curl 7.14.0 to and including 8.19.0
- Not affected versions: curl < 7.14.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/01165e08e0d131b399fb
libcurl is used by many applications, but not always advertised as such!
This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.
This flaw does not affect the curl command line tool.
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade to curl and libcurl 8.20.0
B - Apply the patch and rebuild libcurl
C - Avoid using the combination netrc, HTTP and HTTP proxy
TIMELINE
It was reported to the curl project on April 16th 2026. We contacted distros@openwall on April 23.
libcurl 8.20.0 was released on April 29th 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Muhamad Arga Reksapati
- Patched-by: Daniel Stenberg
Thanks a lot!