Download
Browse source Changelog Release candidates Release log tiny-curl
Documentation
Project FAQ   Help us   Known bugs   Known risks   TODO Protocols   CA bundle   HTTP Cookies   SSL Certs Releases   Security   Verify   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting trurl wcurl Videos Who and Why
libcurl
API Examples Features Mailing list Symbols Using libcurl Tutorial
Get Help
curl-library curl-users IRC / chat Mailing lists Everything curl [book] Video presentations Report a bug Report security issue Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Specifications Test curl Tests Overview Vulnerability Disclosure Policy
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

[ADVISORY] curl: CVE-2026-6276: stale custom cookie host causes cookie leak

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 29 Apr 2026 08:01:15 +0200 (CEST)

stale custom cookie host causes cookie leak
===========================================

Project curl Security Advisory, April 29 2026
[Permalink](https://curl.se/docs/CVE-2026-6276.html)

VULNERABILITY
-------------

Using libcurl, when a custom `Host:` header is first set for a HTTP request
and a second request is subsequently done using the same *easy handle* but
without the custom `Host:` header set, the second request would use stale
information and pass on cookies meant for the first host in the second
request. Leak them.

INFO 
----
Setting a custom `Host:` header is mostly done for debugging purposes when
doing clear text HTTP transfers. When using HTTPS, setting a custom hostname
like this is not enough for asking for a specific virtual host since then the
SNI also needs to be correct. This condition reduces the impact of this flaw,
and is probably a contributing factor why no one else found it before this.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-6276 to this issue.
CWE-346: Origin Validation Error
Severity: Low
AFFECTED VERSIONS
-----------------
- Affected versions: from curl 7.71.0 to and including 8.19.0
- Not affected versions: curl < 7.71.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/e15e51384a423be3131
libcurl is used by many applications, but not always advertised as such!
This bug is not considered a *C mistake*. It is not likely to have been
avoided had we not been using C.
This flaw does **not** affect the curl command line tool.
SOLUTION
--------
- Fixed-in: https://github.com/curl/curl/commit/3a19987a87f393d9394fe5ac
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade to curl and libcurl 8.20.0
  B - Apply the patch and rebuild libcurl
  C - Avoid using custom `Host:` headers
TIMELINE
---------
It was reported to the curl project on April 14th 2026. We contacted
distros_at_openwall on April 23.
libcurl 8.20.0 was released on April 29th 2026, coordinated with the
publication of this advisory.
CREDITS
-------
- Reported-by: Muhamad Arga Reksapati
- Patched-by: Daniel Stenberg
Thanks a lot!
-- 
  / daniel.haxx.se || https://rock-solid.curl.dev
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2026-04-29