CVE-2026-7009
OCSP stapling bypass with Apple SecTrust
Project curl Security Advisory, April 29 2026 Permalink
VULNERABILITY
When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.
INFO
This vulnerability only occurs when the curl meets two specific conditions:
Backend: It is built using an OpenSSL-based backend (including forks like BoringSSL, AWS-LC, LibreSSL, or QuicTLS).
Trust Store: It is used with Apple SecTrust, the feature that allows curl to access the native CA certificate store on Apple operating systems (macOS, iOS, iPadOS, tvOS, and watchOS).
In short, the flaw requires an OpenSSL-linked curl running on an Apple platform using the system's native certificate store.
OCSP stapling is not a widely used feature on the open web, perhaps partly because so many big name sites do not support it.
This bug is not considered a C mistake (likely to have been avoided had we not been using C).
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-7009 to this issue.
CWE-295: Improper Certificate Validation
Severity: Medium
AFFECTED VERSIONS
- Affected versions: curl 8.17.0 to and including 8.19.0
- Not affected versions: curl < 8.17.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/eefd03c572996e5d
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.20.0
B - Apply the patch to your version and rebuild
C - Avoid the combination OCSP stapling + Apple SecTrust
TIMELINE
This issue was reported to the curl project on April 25, 2026.
curl 8.20.0 was released on April 29 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Carlos Carrillo
- Patched-by: Stefan Eissing
Thanks a lot!