CVE-2026-9079
stale proxy password leak
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
INFO
This bug is not considered a C mistake (likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-9079 to this issue.
CWE-522: Insufficiently Protected Credentials
Severity: Medium
AFFECTED VERSIONS
- Affected versions: curl 8.8.0 to and including 8.20.0
- Not affected versions: curl < 8.8.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/d5e83eb745762f48d8f
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Avoid reusing handles when changing proxy credentials
TIMELINE
This issue was reported to the curl project on May 20, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
XlabAI Team of Tencent Xuanwu Lab
- Reported-by: Guannan Wang
- Reported-by: Zhanpeng Liu
- Reported-by: Jiashuo Liang
- Reported-by: Guancheng Li
- Patched-by: Daniel Stenberg
Thanks a lot!