{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-8926",
  "aliases": [
    "CVE-2026-8926"
  ],
  "summary": "password leak with netrc and user in URL",
  "modified": "2026-06-24T09:04:05.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "both",
    "URL": "https://curl.se/docs/CVE-2026-8926.json",
    "www": "https://curl.se/docs/CVE-2026-8926.html",
    "issue": "https://hackerone.com/reports/3735184",
    "CWE": {
      "id": "CWE-522",
      "desc": "Insufficiently Protected Credentials"
    },
    "last_affected": "8.20.0",
    "severity": "Low"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.11.1"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "e9b9bbac22c26cf67316fa8e6c6b9e831af31949"},
             {"fixed": "4ae1d7cc2643e4773a136395f12bc02fc6867854"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1"
      ]
    }
  ],
  "credits": [
    {
      "name": "Joshua Rogers (Aisle Research)",
      "type": "FINDER"
    },
    {
      "name": "Stefan Eissing",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "When asking curl to use a `.netrc` file to find credentials and at the same\ntime specifying a URL with a username (without a password), like\n`https://user@example.com/`, curl could wrongly get and use the password for\n*another* user set in the `.netrc` file for that host if such a one exists and\nthere is no match for the specified user."
}