{
  "schema_version": "1.5.0",
  "id": "CURL-CVE-2026-9079",
  "aliases": [
    "CVE-2026-9079"
  ],
  "summary": "stale proxy password leak",
  "modified": "2026-06-24T10:06:45.00Z",
  "database_specific": {
    "package": "curl",
    "affects": "lib",
    "URL": "https://curl.se/docs/CVE-2026-9079.json",
    "www": "https://curl.se/docs/CVE-2026-9079.html",
    "issue": "https://hackerone.com/reports/3750295",
    "CWE": {
      "id": "CWE-522",
      "desc": "Insufficiently Protected Credentials"
    },
    "last_affected": "8.20.0",
    "severity": "Medium"
  },
  "published": "2026-06-24T08:00:00.00Z",
  "affected": [
    {
      "ranges": [
        {
           "type": "SEMVER",
           "events": [
             {"introduced": "8.8.0"},
             {"fixed": "8.21.0"}
           ]
        },
        {
           "type": "GIT",
           "repo": "https://github.com/curl/curl.git",
           "events": [
             {"introduced": "d5e83eb745762f48d8fafadc5df5dd3ae8d8941e"},
             {"fixed": "88c7e16cceec816a2df45c899d49b1e85513f193"}
           ]
        }
      ],
      "versions": [
        "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", 
        "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0", "8.10.1", 
        "8.10.0", "8.9.1", "8.9.0", "8.8.0"
      ]
    }
  ],
  "credits": [
    {
      "name": "Guancheng Li",
      "type": "FINDER"
    },
    {
      "name": "Daniel Stenberg",
      "type": "REMEDIATION_DEVELOPER"
    }
  ],
  "details": "libcurl had a flaw that when instructed to clear proxy authentication\ncredentials which made it not do so, leaving the old credentials around to get\nused for subsequent transfers that should not know nor use them."
}