CVE-2026-8927
env-set cross-proxy Digest auth state leak
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against proxyA using Digest auth, a subsequent
transfer routed through proxyB erroneously leaks the Proxy-Authorization: header intended solely for proxyA.
INFO
An evil proxyB could use this incoming request header field to impersonate the client in communicating with proxyA, as the header contains the authenticated state.
There is nothing in the request details passed to proxyB that reveal the name or the address of proxyA, which mitigates this problem.
This flaw is almost identical to CVE-2026-7168. The difference lies primarily in how the proxy is selected.
This bug is not considered a C mistake (likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8927 to this issue.
CWE-294: Authentication Bypass by Capture-replay
Severity: Medium
AFFECTED VERSIONS
- Affected versions: curl 7.12.0 to and including 8.20.0
- Not affected versions: curl < 7.12.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/fc6eff13b5414caf6edf
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Avoid reusing handles when changing proxies
TIMELINE
This issue was reported to the curl project on May 18, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Ady Elouej
- Patched-by: Daniel Stenberg
Thanks a lot!