Download
Browse source Changelog Release candidates Release log tiny-curl
Documentation
Project FAQ   Help us   Known bugs   Known risks   TODO Protocols   CA bundle   HTTP Cookies   SSL Certs Releases   Security   Verify   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting trurl wcurl Videos Who and Why
libcurl
API Examples Features Mailing list Symbols Using libcurl Tutorial
Get Help
curl-library curl-users IRC / chat Mailing lists Everything curl [book] Video presentations Report a bug Report security issue Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Specifications Test curl Tests Overview Vulnerability Disclosure Policy
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

[ADVISORY] curl: CVE-2026-7009: OCSP stapling bypass with Apple SecTrust

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 29 Apr 2026 08:01:23 +0200 (CEST)

OCSP stapling bypass with Apple SecTrust
========================================

Project curl Security Advisory, April 29 2026
[Permalink](https://curl.se/docs/CVE-2026-7009.html)

VULNERABILITY
-------------

When curl is told to use the Certificate Status Request TLS extension, often
referred to as *OCSP stapling*, to verify that the server certificate is
valid, it fails to detect OCSP problems and instead wrongly consider the
response as fine.

INFO 
----
This vulnerability only occurs when the curl meets two specific conditions:
* **Backend:** It is built using an **OpenSSL-based backend** (including forks
   like BoringSSL, AWS-LC, LibreSSL, or QuicTLS).
* **Trust Store:** It is used with **Apple SecTrust**, the feature that allows
   curl to access the native CA certificate store on Apple operating systems
   (macOS, iOS, iPadOS, tvOS, and watchOS).
In short, the flaw requires an OpenSSL-linked curl running on an Apple
platform using the system's native certificate store.
OCSP stapling is not a widely used feature on the open web, perhaps partly
because so many big name sites do not support it.
This bug is **not** considered a *C mistake* (likely to have been avoided had
we not been using C).
This flaw also affects the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-7009 to this issue.
CWE-295: Improper Certificate Validation
Severity: Medium
AFFECTED VERSIONS
-----------------
- Affected versions: curl 8.17.0 to and including 8.19.0
- Not affected versions: curl < 8.17.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/eefd03c572996e5d
libcurl is used by many applications, but not always advertised as such!
SOLUTION
------------
- Fixed-in: https://github.com/curl/curl/commit/51905671e07f087e28e57
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl and libcurl to version 8.20.0
  B - Apply the patch to your version and rebuild
  C - Avoid the combination OSCP stapling + Apple SecTrust
TIMELINE
---------
This issue was reported to the curl project on April 25, 2026.
curl 8.20.0 was released on April 29 2026, coordinated with the publication of
this advisory.
CREDITS
-------
- Reported-by: Carlos Carrillo
- Patched-by: Stefan Eissing
Thanks a lot!
-- 
  / daniel.haxx.se || https://rock-solid.curl.dev
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2026-04-29