CVE-2026-7009: OCSP Stapling Flaw in curl 8.17.0–8.19.0
Platform
curl
Component
curl
Fixed in
8.19.1
CVE-2026-7009 affects versions 8.17.0 through 8.19.0 of curl. This vulnerability arises from a flaw in how curl handles OCSP stapling, a mechanism used to verify the validity of server certificates. If exploited, attackers could potentially bypass certificate validation and intercept sensitive data. A fix is available in version 8.19.1.
Impact and Attack Scenarios
The core of this vulnerability lies in curl's mishandling of OCSP stapling responses. OCSP stapling is designed to provide real-time certificate revocation status, ensuring that clients only connect to valid certificates. CVE-2026-7009 allows an attacker to present a malicious certificate, and curl will incorrectly validate it as legitimate, even if the certificate has been revoked. This opens the door to man-in-the-middle (MITM) attacks, where an attacker can intercept and potentially modify network traffic between the client and the server. The impact is particularly severe for applications that rely on curl for secure communication, such as web browsers, API clients, and automation scripts. Successful exploitation could lead to data breaches, credential theft, and other malicious activities.
Exploitation Context
CVE-2026-7009 was published on May 13, 2026. Its CVSS severity is pending evaluation. No public proof-of-concept (POC) code has been released at the time of writing, but the nature of the vulnerability suggests a moderate likelihood of exploitation once a POC becomes available. Monitor security advisories and threat intelligence feeds for updates on active campaigns targeting this vulnerability. Refer to the curl security advisory for more details.
Threat Intelligence
Exploit Status
EPSS
0.01% (1% percentile)
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-7009 is to upgrade to curl version 8.19.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While not a complete solution, disabling OCSP stapling can reduce the risk, but it also weakens certificate validation. This can be done by setting the --no-ocs-stapling flag when invoking curl. Monitor network traffic for suspicious activity and consider using a Web Application Firewall (WAF) to detect and block malicious requests. After upgrading, confirm the fix by running curl against a known secure HTTPS endpoint and verifying that certificate validation proceeds as expected.
How to fix
Actualice a la versión 8.19.1 o superior para corregir la vulnerabilidad. Esta actualización aborda un problema donde curl no detectaba correctamente problemas de OCSP, lo que podría llevar a una validación incorrecta de certificados.
Frequently asked questions
What is CVE-2026-7009 — OCSP Stapling Flaw in curl?
CVE-2026-7009 is a vulnerability in curl versions 8.17.0–8.19.0 where OCSP stapling verification fails, potentially allowing man-in-the-middle attacks. It allows attackers to bypass certificate validation and intercept sensitive data.
Am I affected by CVE-2026-7009 in curl?
You are affected if you are using curl versions 8.17.0 through 8.19.0. Check your curl version using curl --version and upgrade if necessary.
How do I fix CVE-2026-7009 in curl?
Upgrade to curl version 8.19.1 or later to resolve the vulnerability. As a temporary workaround, you can disable OCSP stapling using the --no-ocs-stapling flag.
Is CVE-2026-7009 being actively exploited?
No public exploitation has been reported as of May 13, 2026, but the vulnerability's nature suggests a potential for exploitation once a proof-of-concept is available.
Where can I find the official curl advisory for CVE-2026-7009?
Refer to the official curl security advisory, which can be found on the curl project's website or through security mailing lists. Check curl.se for updates.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...