CVE-2026-6276: Cookie Leak in libcurl 8.12.0–8.19.0

The core of the vulnerability lies in how libcurl handles the Host: header in subsequent HTTP requests. When a custom Host: header is initially set, libcurl stores this information. If a second request is made using the same easy handle but without explicitly setting the Host: header, libcurl incorrectly reuses the stale Host: value from the first request. This can lead to cookies intended for the original host being inadvertently sent with the second request, exposing them to an attacker. The impact is the potential exposure of session cookies, authentication tokens, or other sensitive data transmitted via cookies. Successful exploitation could allow an attacker to impersonate a user or gain unauthorized access to protected resources.

1. Reservado2026-04-14
2. Publicada2026-05-13
3. EPSS actualizado2026-05-13

The primary mitigation for CVE-2026-6276 is to upgrade to libcurl version 8.19.1 or later. This version contains the fix that correctly handles the Host: header in subsequent requests. If upgrading is not immediately feasible, consider implementing a workaround by explicitly setting the Host: header for every HTTP request made through libcurl, ensuring no stale values are used. Web application firewalls (WAFs) configured to inspect HTTP headers might be able to detect and block suspicious requests exhibiting this pattern, but this is not a substitute for patching. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual cookie behavior in application logs is recommended.