Download
Browse source Changelog Release candidates Release log tiny-curl
Documentation
Project FAQ   Help us   Known bugs   Known risks   TODO Protocols   CA bundle   HTTP Cookies   SSL Certs Releases   Security   Verify   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting trurl wcurl Videos Who and Why
libcurl
API Examples Features Mailing list Symbols Using libcurl Tutorial
Get Help
curl-library curl-users IRC / chat Mailing lists Everything curl [book] Video presentations Report a bug Report security issue Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Specifications Test curl Tests Overview Vulnerability Disclosure Policy
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

[ADVISORY] curl: CVE-2026-7168: cross-proxy Digest auth state leak

From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Wed, 29 Apr 2026 08:01:29 +0200 (CEST)

cross-proxy Digest auth state leak
==================================

Project curl Security Advisory, April 29 2026
[Permalink](https://curl.se/docs/CVE-2026-7168.html)

VULNERABILITY
-------------

Successfully using libcurl to do a transfer over a specific HTTP proxy
(`proxyA`) with **Digest** authentication and then changing the proxy host to
a second one (`proxyB`) for a second transfer, reusing the same handle, makes
libcurl wrongly pass on the `Proxy-Authorization:` header field meant for
`proxyA`, to `proxyB`.

INFO 
----
An evil `proxyB` could use this incoming request header field to impersonate
the client in communicating with `proxyA`, as the header contains the
authenticated state.
There is nothing in the request details passed to `proxyB` that reveal the
name or the address of `proxyA`, which mitigates this problem.
This bug is **not** considered a *C mistake* (likely to have been avoided had
we not been using C).
This flaw does not affect the curl command line tool.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-7168 to this issue.
CWE-294: Authentication Bypass by Capture-replay
Severity: Medium
AFFECTED VERSIONS
-----------------
- Affected versions: curl 7.12.0 to and including 8.19.0
- Not affected versions: curl < 7.12.0 and >= 8.20.0
- Introduced-in: https://github.com/curl/curl/commit/fc6eff13b5414caf6edf
libcurl is used by many applications, but not always advertised as such!
SOLUTION
------------
- Fixed-in: https://github.com/curl/curl/commit/c1cfdf59acbaf9504c45
RECOMMENDATIONS
---------------
We suggest you take one of the following actions immediately, in order of
preference:
  A - Upgrade curl and libcurl to version 8.20.0
  B - Apply the patch to your version and rebuild
  C - Avoid reusing handles when changing proxies
TIMELINE
---------
This issue was reported to the curl project on April 27, 2026.
curl 8.20.0 was released on April 29 2026, coordinated with the publication of
this advisory.
CREDITS
-------
- Reported-by: Muhamad Arga Reksapati
- Patched-by: Daniel Stenberg
Thanks a lot!
-- 
  / daniel.haxx.se || https://rock-solid.curl.dev
-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2026-04-29