CVE-2026-8932
incomplete mTLS config matching in conn reuse
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse.
libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.
INFO
This flaw is similar to CVE-2022-27782.
This bug is not considered a C mistake (likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-8932 to this issue.
CWE-305: Authentication Bypass by Primary Weakness
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 7.7 to and including 8.20.0
- Not affected versions: curl < 7.7 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b0
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Avoid reusing handles when changing client cert details
TIMELINE
This issue was reported to the curl project on May 13, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Joshua Rogers (Aisle Research)
- Patched-by: Joshua Rogers (Aisle Research)
Thanks a lot!