CVE-2026-7168
cross-proxy Digest auth state leak
Project curl Security Advisory, April 29 2026 Permalink
VULNERABILITY
Successfully using libcurl to do a transfer over a specific HTTP proxy (proxyA) with Digest authentication and then changing the proxy host to a second one (proxyB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the
Proxy-Authorization: header field meant for proxyA, to proxyB.
INFO
An evil proxyB could use this incoming request header field to impersonate the client in communicating with proxyA, as the header contains the authenticated state.
There is nothing in the request details passed to proxyB that reveal the name or the address of proxyA, which mitigates this problem.
This bug is not considered a C mistake (likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-7168 to this issue.
CWE-294: Authentication Bypass by Capture-replay
Severity: Medium
AFFECTED VERSIONS
- Affected versions: curl 7.12.0 to and including 8.19.0
- Not affected versions: curl < 7.12.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/fc6eff13b5414caf6edf
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.20.0
B - Apply the patch to your version and rebuild
C - Avoid reusing handles when changing proxies
TIMELINE
This issue was reported to the curl project on April 27, 2026.
curl 8.20.0 was released on April 29 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Muhamad Arga Reksapati
- Patched-by: Daniel Stenberg
Thanks a lot!