{ "schema_version": "1.5.0", "id": "CURL-CVE-2026-9545", "aliases": [ "CVE-2026-9545" ], "summary": "exposing HTTP/3 early data", "modified": "2026-06-24T09:10:24.00Z", "database_specific": { "package": "curl", "affects": "both", "URL": "https://curl.se/docs/CVE-2026-9545.json", "www": "https://curl.se/docs/CVE-2026-9545.html", "issue": "https://hackerone.com/reports/3752888", "CWE": { "id": "CWE-200", "desc": "Exposure of Sensitive Information to an Unauthorized Actor" }, "last_affected": "8.20.0", "severity": "Low" }, "published": "2026-06-24T08:00:00.00Z", "affected": [ { "ranges": [ { "type": "SEMVER", "events": [ {"introduced": "8.11.0"}, {"fixed": "8.21.0"} ] }, { "type": "GIT", "repo": "https://github.com/curl/curl.git", "events": [ {"introduced": "962097b8dd44ed5b9e7984bc1cdffdbdd566857f"}, {"fixed": "7b9613fa9b1a5e04301a3920eef58e8138dad05e"} ] } ], "versions": [ "8.20.0", "8.19.0", "8.18.0", "8.17.0", "8.16.0", "8.15.0", "8.14.1", "8.14.0", "8.13.0", "8.12.1", "8.12.0", "8.11.1", "8.11.0" ] } ], "credits": [ { "name": "Eunsoo Kim (Autonomous Code Security team at Microsoft)", "type": "FINDER" }, { "name": "Stefan Eissing", "type": "REMEDIATION_DEVELOPER" } ], "details": "In this scenario, libcurl first uses a proper HTTP/3 server for the initial\ntransfers, and when it makes a second transfer to the same site it has been\nreplaced by the attacker's impostor machine - without a valid certificate.\n\nWhen libcurl returns to the hostname the second time with a cached SSL session\n(`CURLOPT_SSL_SESSIONID_CACHE` is not disabled) and early data enabled (the\n`CURLSSLOPT_EARLYDATA` bit is set in `CURLOPT_SSL_OPTIONS`), libcurl might\nsend off the second request's bytes on that new connection *before* enforcing\nthe certificate verification failure. Potentially leaking sensitive\ninformation." }