CVE-2026-6429: Credentials Leak in cURL 8.12.0–8.19.0
Plateforme
c
Composant
curl
Corrigé dans
8.19.1
CVE-2026-6429 is a security vulnerability affecting cURL versions 8.12.0 through 8.19.0. This issue arises when cURL is configured to use a .netrc file for authentication and simultaneously follows HTTP redirects. Under specific conditions, the password used for the initial host can be inadvertently leaked to the redirected host, compromising sensitive credentials.
Impact et Scénarios d'Attaquetraduction en cours…
The primary impact of CVE-2026-6429 is the potential for credential leakage. An attacker who can control the HTTP redirect destination can trick cURL into sending the initial host's password to a malicious server. This could lead to unauthorized access to systems and data protected by those credentials. The blast radius depends on the sensitivity of the credentials stored in the .netrc file and the permissions associated with the affected cURL instances. This vulnerability shares similarities with other authentication bypass vulnerabilities where improper handling of credentials can lead to privilege escalation or data exfiltration.
Contexte d'Exploitationtraduction en cours…
CVE-2026-6429 was published on May 13, 2026. The EPSS score is pending evaluation. Currently, there are no publicly available proof-of-concept exploits. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The recommended mitigation for CVE-2026-6429 is to upgrade to cURL version 8.19.1 or later, which contains the fix. If upgrading is not immediately feasible, consider disabling HTTP redirects or restricting the use of .netrc files in environments where this vulnerability poses a significant risk. As a temporary workaround, carefully review and restrict the domains that cURL is allowed to access, limiting the potential for redirection to malicious sites. After upgrading, verify the fix by attempting a transfer with a redirect and confirming that the password is not exposed in the redirected request.
Comment corrigertraduction en cours…
Actualice a la versión 8.19.1 o posterior para evitar la fuga de credenciales. Este problema se produce al usar un archivo .netrc y seguir redirecciones HTTP, por lo que es importante aplicar la actualización lo antes posible para proteger la información confidencial.
Questions fréquentestraduction en cours…
What is CVE-2026-6429 — Credentials Leak in cURL?
CVE-2026-6429 is a vulnerability in cURL versions 8.12.0 through 8.19.0 where passwords from .netrc files can be leaked during HTTP redirects, potentially exposing credentials to attackers.
Am I affected by CVE-2026-6429 in cURL?
You are affected if you are using cURL versions 8.12.0 through 8.19.0 and your application uses both .netrc files for authentication and follows HTTP redirects.
How do I fix CVE-2026-6429 in cURL?
Upgrade to cURL version 8.19.1 or later to resolve the vulnerability. As a temporary workaround, disable HTTP redirects or restrict .netrc file usage.
Is CVE-2026-6429 being actively exploited?
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-6429, but monitoring is advised.
Where can I find the official cURL advisory for CVE-2026-6429?
Refer to the official cURL security advisories on the cURL website for the latest information and updates regarding CVE-2026-6429: https://curl.se/security/
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Essayez maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...