Docs Overview
Project
Bug Report Code of conduct Dependencies Donate FAQ Features Governance History Install Known Bugs Known Risks Logo TODO website Info
Protocols
CA Extract HTTP cookies HTTP/3 MQTT SSL certs SSL libs compared URL syntax WebSocket
Releases
Changelog curl CVEs Release Table Version Numbering Verify Vulnerabilities
Tool
Comparison Table curl man page HTTP Scripting mk-ca-bundle Tutorial When options were added
Who and Why
Companies Copyright Sponsors Thanks The name
curl / Docs / curl CVEs / password leak with netrc and user in URL
Related:
Audits
Changelog
curl CVEs
JSON metadata
Original report
Vulnerability Disclosure
Vulnerabilities Table

CVE-2026-8926

password leak with netrc and user in URL

Project curl Security Advisory, June 24 2026 Permalink

VULNERABILITY

When asking curl to use a .netrc file to find credentials and at the same time specifying a URL with a username (without a password), like https://user@example.com/, curl could wrongly get and use the password for another user set in the .netrc file for that host if such a one exists and there is no match for the specified user.

INFO

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8926 to this issue.

CWE-522: Insufficiently Protected Credentials

Severity: Low

AFFECTED VERSIONS

libcurl is used by many applications, but not always advertised as such!

This bug is not considered a C mistake. It is not likely to have been avoided had we not been using C.

This flaw is also accessible using the curl command line tool.

SOLUTION

RECOMMENDATIONS

A - Upgrade curl to version 8.21.0

B - Apply the patch to your local version

C - Do not use netrc for authentication data

TIMELINE

This issue was reported to the curl project on May 14, 2026. We contacted distros@openwall on June 17, 2026.

curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.

CREDITS

Thanks a lot!