CVE-2026-5545: Connection Reuse Vulnerability in libcurl
Platform
c
Component
curl
Fixed in
8.19.1
CVE-2026-5545 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability stems from a logical error in connection reuse logic, potentially allowing an attacker to exploit a connection authenticated with different credentials. Successful exploitation could lead to unauthorized access to resources and data. A fix is available in version 8.19.1.
Impact and Attack Scenarios
The core of the vulnerability lies in libcurl's connection pooling mechanism. When an application makes authenticated HTTP(S) requests, libcurl attempts to reuse existing connections to improve performance. However, under specific circumstances involving Negotiate authentication, the code incorrectly reuses a connection authenticated with different credentials. This means an attacker could potentially hijack a connection previously used by a legitimate user, gaining access to resources they shouldn't have. The impact is particularly severe in environments where sensitive data is transmitted over HTTP(S), such as financial transactions or access to private APIs. While the description doesn't explicitly mention it, a successful exploit could lead to session hijacking and unauthorized data modification.
Exploitation Context
CVE-2026-5545 was published on May 13, 2026. Its severity is pending evaluation. Currently, there are no publicly known Proof-of-Concept (POC) exploits. It is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS. Given the nature of the vulnerability – improper connection reuse – it's plausible that attackers could develop exploits targeting applications that rely heavily on libcurl for HTTP(S) communication.
Threat Intelligence
Exploit Status
EPSS
0.04% (13% percentile)
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-5545 is to upgrade to libcurl version 8.19.1 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. One potential workaround is to disable connection reuse entirely, although this will negatively impact performance. Another approach is to carefully review application code to ensure that authentication credentials are properly managed and that connections are not inadvertently reused across different authentication contexts. Monitor libcurl logs for unusual connection activity. After upgrading, confirm the fix by performing authenticated HTTP(S) requests and verifying that connections are not being reused improperly.
How to fix
Actualice a la versión 8.19.1 o posterior para evitar la reutilización incorrecta de conexiones HTTP Negotiate. Esta vulnerabilidad permite que un atacante potencialmente robe credenciales al reutilizar conexiones autenticadas incorrectamente. Verifique las fuentes oficiales de libcurl para obtener instrucciones de actualización específicas para su sistema operativo.
Frequently asked questions
What is CVE-2026-5545 — Connection Reuse Vulnerability in libcurl?
CVE-2026-5545 is a vulnerability in libcurl versions 8.12.0–8.19.0 that allows unauthorized connection reuse in HTTP(S) requests after Negotiate authentication, potentially exposing sensitive data.
Am I affected by CVE-2026-5545 in libcurl?
If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected. Check your libcurl version using curl --version.
How do I fix CVE-2026-5545 in libcurl?
Upgrade to libcurl version 8.19.1 or later to resolve this vulnerability. If upgrading is not possible immediately, consider temporary workarounds like disabling connection reuse.
Is CVE-2026-5545 being actively exploited?
Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-5545, but it's crucial to apply the fix proactively.
Where can I find the official libcurl advisory for CVE-2026-5545?
Refer to the libcurl project's security announcements for the official advisory: https://curl.se/security/
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...