Docs Overview
Project
Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Known Risks Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Verify Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / wrong reuse for different services
Related:
Audits
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table

CVE-2026-8458

wrong reuse for different services

Project curl Security Advisory, June 24 2026 Permalink

VULNERABILITY

libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different "services".

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.

INFO

The intended service to use for Negotiate is set with CURLOPT_SERVICE_NAME or CURLOPT_PROXY_SERVICE_NAME.

This flaw still only triggers while using the same hostname, port number and credentials and the previous connection is still found alive in the connection pool.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8458 to this issue.

This flaw is similar to CVE-2026-5545.

CWE-488: Exposure of Data Element to Wrong Session

Severity: Low

AFFECTED VERSIONS

This flaw has existed since curl started to support setting the service name for Negotiate.

libcurl is used by many applications, but not always advertised as such!

This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.

This flaw does not affect the curl command line tool.

SOLUTION

curl 8.21.0 makes sure that connection reuse take the service name into account.

RECOMMENDATIONS

We suggest you take one of the following actions immediately, in order of preference:

A - Upgrade to curl and libcurl 8.21.0

B - Apply the patch and rebuild libcurl

C - Avoid using HTTP Negotiate in your application

TIMELINE

It was reported to the curl project on May 8 2026. We contacted distros@openwall on June 17 2026.

libcurl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!