CVE-2026-9547
SSH improper host validation
Project curl Security Advisory, June 24 2026 Permalink
VULNERABILITY
When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPT_SSH_KEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the
specific key type already recorded for that host in the known_hosts file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.
INFO
This bug is only present when curl is built with the libssh backend. The same bug does not exist with libssh2.
This bug is not considered a C mistake (not likely to have been avoided had we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2026-9547 to this issue.
CWE-297: Improper Validation of Certificate with Host Mismatch
Severity: Low
AFFECTED VERSIONS
- Affected versions: curl 7.69.0 to and including 8.20.0
- Not affected versions: curl < 7.69.0 and >= 8.21.0
- Introduced-in: https://github.com/curl/curl/commit/507cf6a13db0375eadd
libcurl is used by many applications, but not always advertised as such!
SOLUTION
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl and libcurl to version 8.21.0
B - Apply the patch to your version and rebuild
C - build libcurl with libssh2 instead of libssh
TIMELINE
This issue was reported to the curl project on May 20, 2026.
curl 8.21.0 was released on June 24 2026, coordinated with the publication of this advisory.
CREDITS
- Reported-by: Joshua Rogers (Aisle Research)
- Patched-by: Joshua Rogers (Aisle Research)
Thanks a lot!