CVE-2026-8286
wrong STARTTLS connection reuse
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.
INFO
For data transfers using URL schemes that start as cleartext but upgrade to TLS, the validation logic ensuring configuration consistency between transfers is not invoked. This affects IMAP://, POP3://, SMTP://, FTP://, and LDAP://
schemes, potentially allowing connection reuse with mismatched TLS settings.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8286 to this issue.
CWE-295: Improper Certificate Validation
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 7.30.0 to and including 8.20.0
- Not affected versions: curl < 7.30.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/a1701eea289fe7ea8065
STARTTLS support was introduced in curl via a number of separate commits for the different protocols. The specific commit mentioned above did not introduce the problem for all the protocols at once.
libcurl is used by many applications, but not always advertised as such!
This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.
This flaw also affects the curl command line tool.
SOLUTION
curl 8.21.0 fixes this logical flaw
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade to curl and libcurl 8.21.0
B - Apply the patch and rebuild libcurl
C - Do not use clear-text IMAP/POP3/SMTP/FTP/LDAP transfers
TIMELINE
It was reported to the curl project on May 6 2026. We contacted distros@openwall on June 17 2026.
libcurl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Andrew Nesbitt (powered by Mythos)
- Patched-by: Stefan Eissing
Thanks a lot!