Kostenlos scannen
Analyse ausstehendCVE-2026-5545

CVE-2026-5545: Connection Reuse Vulnerability in libcurl

Plattform

c

Komponente

curl

Behoben in

8.19.1

Auf NVD ansehen
Speichern

CVE-2026-5545 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability stems from a logical error in connection reuse logic, potentially allowing an attacker to exploit a connection authenticated with different credentials. Successful exploitation could lead to unauthorized access to resources and data. A fix is available in version 8.19.1.

Auswirkungen und Angriffsszenarienwird übersetzt…

The core of the vulnerability lies in libcurl's connection pooling mechanism. When an application makes authenticated HTTP(S) requests, libcurl attempts to reuse existing connections to improve performance. However, under specific circumstances involving Negotiate authentication, the code incorrectly reuses a connection authenticated with different credentials. This means an attacker could potentially hijack a connection previously used by a legitimate user, gaining access to resources they shouldn't have. The impact is particularly severe in environments where sensitive data is transmitted over HTTP(S), such as financial transactions or access to private APIs. While the description doesn't explicitly mention it, a successful exploit could lead to session hijacking and unauthorized data modification.

Ausnutzungskontextwird übersetzt…

CVE-2026-5545 was published on May 13, 2026. Its severity is pending evaluation. Currently, there are no publicly known Proof-of-Concept (POC) exploits. It is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS. Given the nature of the vulnerability – improper connection reuse – it's plausible that attackers could develop exploits targeting applications that rely heavily on libcurl for HTTP(S) communication.

Bedrohungsanalyse

Exploit-Status

Proof of ConceptUnbekannt
CISA KEVNO

EPSS

0.04% (13% Perzentil)

Betroffene Software

Komponentecurl
Herstellercurl
Mindestversion8.12.0
Höchstversion8.19.0
Behoben in8.19.1

Schwachstellen-Klassifikation (CWE)

CWE-305

Zeitleiste

  1. Reserviert
  2. Veröffentlicht
  3. EPSS aktualisiert

Mitigation und Workaroundswird übersetzt…

The primary mitigation for CVE-2026-5545 is to upgrade to libcurl version 8.19.1 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. One potential workaround is to disable connection reuse entirely, although this will negatively impact performance. Another approach is to carefully review application code to ensure that authentication credentials are properly managed and that connections are not inadvertently reused across different authentication contexts. Monitor libcurl logs for unusual connection activity. After upgrading, confirm the fix by performing authenticated HTTP(S) requests and verifying that connections are not being reused improperly.

So behebenwird übersetzt…

Actualice a la versión 8.19.1 o posterior para evitar la reutilización incorrecta de conexiones HTTP Negotiate. Esta vulnerabilidad permite que un atacante potencialmente robe credenciales al reutilizar conexiones autenticadas incorrectamente.  Verifique las fuentes oficiales de libcurl para obtener instrucciones de actualización específicas para su sistema operativo.

Häufig gestellte Fragenwird übersetzt…

What is CVE-2026-5545 — Connection Reuse Vulnerability in libcurl?

CVE-2026-5545 is a vulnerability in libcurl versions 8.12.0–8.19.0 that allows unauthorized connection reuse in HTTP(S) requests after Negotiate authentication, potentially exposing sensitive data.

Am I affected by CVE-2026-5545 in libcurl?

If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected. Check your libcurl version using curl --version.

How do I fix CVE-2026-5545 in libcurl?

Upgrade to libcurl version 8.19.1 or later to resolve this vulnerability. If upgrading is not possible immediately, consider temporary workarounds like disabling connection reuse.

Is CVE-2026-5545 being actively exploited?

Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-5545, but it's crucial to apply the fix proactively.

Where can I find the official libcurl advisory for CVE-2026-5545?

Refer to the libcurl project's security announcements for the official advisory: https://curl.se/security/

Ist dein Projekt betroffen?

Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.

Kostenlos scannenCVEs suchen
liveKostenloser Scan

Jetzt testen — kein Konto

Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.

Manueller ScanSlack/E-Mail-AlertsKontinuierliche ÜberwachungWhite-Label-Berichte

Abhängigkeitsdatei hier ablegen

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...