Kostenlos scannen
Analyse ausstehendCVE-2026-5545

CVE-2026-5545: Connection Reuse Vulnerability in libcurl

Plattform

c

Komponente

curl

Behoben in

8.19.1

Auf NVD ansehen
Speichern

CVE-2026-5545 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability stems from a logical error in connection reuse, potentially allowing an application to wrongfully reuse a connection authenticated with different credentials. Successful exploitation could lead to unauthorized access and data exposure, impacting systems relying on libcurl for secure communication.

Auswirkungen und Angriffsszenarien

The core of the vulnerability lies in libcurl's connection pooling mechanism. When a request is made after an authenticated one (specifically using Negotiate authentication), libcurl might incorrectly reuse a connection to the same server that was previously authenticated with different credentials. An attacker could potentially craft a malicious request that leverages this flaw to impersonate a legitimate user or intercept sensitive data. This could manifest as unauthorized access to protected resources, data breaches, or even man-in-the-middle attacks if the connection is reused in a compromised network environment. The impact is amplified in applications that heavily rely on libcurl for secure HTTP(S) communication, especially those handling sensitive information like credentials or financial data.

Ausnutzungskontext

CVE-2026-5545 was published on May 13, 2026. As of this date, there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Monitor security advisories from affected vendors and the NVD for updates.

Bedrohungsanalyse

Exploit-Status

Proof of ConceptUnbekannt
CISA KEVNO

EPSS

0.04% (13% Perzentil)

Betroffene Software

Komponentecurl
Herstellercurl
Mindestversion8.12.0
Höchstversion8.19.0
Behoben in8.19.1

Schwachstellen-Klassifikation (CWE)

CWE-305

Zeitleiste

  1. Reserviert
  2. Veröffentlicht
  3. EPSS aktualisiert

Mitigation und Workarounds

The primary mitigation for CVE-2026-5545 is to upgrade to libcurl version 8.19.1 or later, which contains the fix. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. These might include disabling connection reuse within your application's libcurl configuration (though this will impact performance) or implementing stricter authentication checks on the server-side to detect and reject requests using potentially reused connections. Monitor network traffic for suspicious connection patterns. After upgrading, confirm the fix by performing a test request that triggers the vulnerable connection reuse scenario and verifying that a new connection is established.

So behebenwird übersetzt…

Actualice a la versión 8.19.1 o posterior para evitar la reutilización incorrecta de conexiones HTTP Negotiate. Esta vulnerabilidad permite que un atacante potencialmente robe credenciales al reutilizar conexiones autenticadas incorrectamente.  Verifique las fuentes oficiales de libcurl para obtener instrucciones de actualización específicas para su sistema operativo.

Häufig gestellte Fragen

What is CVE-2026-5545 — Connection Reuse Vulnerability in libcurl?

CVE-2026-5545 is a vulnerability in libcurl versions 8.12.0–8.19.0 where connections might be incorrectly reused after authenticated requests, potentially leading to unauthorized access and data exposure. Severity is pending evaluation.

Am I affected by CVE-2026-5545 in libcurl?

If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected. Check your system's libcurl version using curl --version to determine if you need to take action.

How do I fix CVE-2026-5545 in libcurl?

Upgrade to libcurl version 8.19.1 or later to resolve the vulnerability. If immediate upgrade is not possible, consider temporary workarounds like disabling connection reuse or implementing stricter server-side authentication.

Is CVE-2026-5545 being actively exploited?

As of May 13, 2026, there are no publicly known active exploits or campaigns targeting CVE-2026-5545. However, it's crucial to apply the fix promptly to prevent potential future exploitation.

Where can I find the official libcurl advisory for CVE-2026-5545?

Refer to the official libcurl project website and security mailing lists for the latest advisory and updates regarding CVE-2026-5545: https://curl.se/security/

Ist dein Projekt betroffen?

Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.

Kostenlos scannenCVEs suchen
liveKostenloser Scan

Jetzt testen — kein Konto

Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.

Manueller ScanSlack/E-Mail-AlertsKontinuierliche ÜberwachungWhite-Label-Berichte

Abhängigkeitsdatei hier ablegen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...