CVE-2026-6276: Cookie Leak in libcurl 8.12.0–8.19.0
Platform
c
Component
curl
Fixed in
8.19.1
CVE-2026-6276 describes a cookie leak vulnerability within libcurl, a widely used library for transferring data with URLs. This flaw allows attackers to potentially leak sensitive cookie information by manipulating HTTP requests. The vulnerability affects versions 8.12.0 through 8.19.0, and a fix is available in version 8.19.1.
Impact and Attack Scenarios
The core of the vulnerability lies in how libcurl handles the Host: header in subsequent HTTP requests. When a custom Host: header is initially set, libcurl stores this information. If a second request is made using the same easy handle but without explicitly setting the Host: header, libcurl incorrectly reuses the stale Host: value from the first request. This can lead to cookies intended for the original host being inadvertently sent with the second request, exposing them to an attacker. The impact is the potential exposure of session cookies, authentication tokens, or other sensitive data transmitted via cookies. Successful exploitation could allow an attacker to impersonate a user or gain unauthorized access to protected resources.
Exploitation Context
CVE-2026-6276 was published on May 13, 2026. It is not currently listed on KEV (Knowledge-based Enumeration of Vulnerabilities) or EPSS (Exploit Prediction Scoring System), indicating a low to medium probability of exploitation. No public proof-of-concept (POC) code is currently available. The vulnerability's impact is primarily dependent on the application's reliance on cookies for authentication and session management.
Threat Intelligence
Exploit Status
EPSS
0.01% (1% percentile)
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-6276 is to upgrade to libcurl version 8.19.1 or later. This version contains the fix that correctly handles the Host: header in subsequent requests. If upgrading is not immediately feasible, consider implementing a workaround by explicitly setting the Host: header for every HTTP request made through libcurl, ensuring no stale values are used. Web application firewalls (WAFs) configured to inspect HTTP headers might be able to detect and block suspicious requests exhibiting this pattern, but this is not a substitute for patching. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual cookie behavior in application logs is recommended.
How to fix
Actualice a la versión 8.19.1 o posterior de libcurl para evitar la fuga de cookies. Esta vulnerabilidad ocurre cuando se utiliza un encabezado 'Host' personalizado y se realiza una segunda solicitud sin él, lo que puede llevar a que se utilicen cookies incorrectas.
Frequently asked questions
What is CVE-2026-6276 — Cookie Leak in libcurl?
CVE-2026-6276 is a vulnerability in libcurl versions 8.12.0 through 8.19.0 that allows attackers to potentially leak sensitive cookie information by manipulating HTTP requests. It stems from how libcurl handles the Host header.
Am I affected by CVE-2026-6276 in libcurl?
If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected by this vulnerability. Check your libcurl version using 'curl --version'.
How do I fix CVE-2026-6276 in libcurl?
The recommended fix is to upgrade to libcurl version 8.19.1 or later. If upgrading is not immediately possible, explicitly set the Host header for every HTTP request.
Is CVE-2026-6276 being actively exploited?
As of now, CVE-2026-6276 is not known to be actively exploited. However, the potential for exploitation exists, and proactive patching is recommended.
Where can I find the official libcurl advisory for CVE-2026-6276?
Refer to the libcurl security announcements page for the official advisory: https://curl.se/security/
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...