CVE-2026-9546
sending old referer
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
A vulnerability in libcurl caused the HTTP Referer: header to persist even when explicitly cleared. While the documentation states that passing NULL to CURLOPT_REFERER suppresses the header, the option failed to clear the internal state. As a result, the previous
referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers.
INFO
This bug is not considered a C mistake (not likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-9546 to this issue.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 8.18.0 to and including 8.20.0
- Not affected versions: curl < 8.18.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/2cb868242dc2ac9cd5
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - Avoid using CURLOPT_REFERER
TIMELINE
This issue was reported to the curl project on May 22, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: renjian on hackerone
- Patched-by: Daniel Stenberg
Thanks a lot!