CVE-2026-7168: Proxy Header Leak in libcurl

The primary impact of CVE-2026-7168 is the potential leakage of proxy authentication credentials. An attacker who can control the HTTP proxy chain could craft a malicious request sequence that exploits this flaw. First, a connection is established to proxyA using Digest authentication. Then, a subsequent connection is attempted to proxyB. Due to the incorrect header forwarding, the Proxy-Authorization header intended for proxyA is inadvertently sent to proxyB. If proxyB relies on this header for authentication, an attacker could potentially bypass authentication and gain unauthorized access to resources protected by proxyB. The blast radius is limited to systems using libcurl with the vulnerable proxy configuration and relying on Digest authentication. This vulnerability doesn't inherently lead to remote code execution, but it can facilitate privilege escalation or data exfiltration if the compromised proxy has access to sensitive data.

1. Reserviert2026-04-27
2. Veröffentlicht2026-05-13
3. EPSS aktualisiert2026-05-13

The recommended mitigation for CVE-2026-7168 is to upgrade to libcurl version 8.19.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to disable Digest authentication for proxy servers where possible. Alternatively, configure your proxy servers to ignore unexpected or malformed Proxy-Authorization headers. WAF rules can be implemented to inspect HTTP requests for suspicious header forwarding patterns. Carefully review proxy configurations to ensure that authentication headers are handled correctly. After upgrading, confirm the fix by performing a test transfer sequence through multiple proxies with Digest authentication to verify that the Proxy-Authorization header is not being incorrectly forwarded.