CVE-2026-6429: Credentials Leak in cURL 8.12.0–8.19.0
प्लेटफ़ॉर्म
c
घटक
curl
में ठीक किया गया
8.19.1
CVE-2026-6429 is a security vulnerability affecting cURL versions 8.12.0 through 8.19.0. This issue arises when cURL is configured to use a .netrc file for authentication and simultaneously follows HTTP redirects. Under specific conditions, the password used for the initial host can be inadvertently leaked to the redirected host, compromising sensitive credentials.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The primary impact of CVE-2026-6429 is the potential for credential leakage. An attacker who can control the HTTP redirect destination can trick cURL into sending the initial host's password to a malicious server. This could lead to unauthorized access to systems and data protected by those credentials. The blast radius depends on the sensitivity of the credentials stored in the .netrc file and the permissions associated with the affected cURL instances. This vulnerability shares similarities with other authentication bypass vulnerabilities where improper handling of credentials can lead to privilege escalation or data exfiltration.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2026-6429 was published on May 13, 2026. The EPSS score is pending evaluation. Currently, there are no publicly available proof-of-concept exploits. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.02% (4% शतमक)
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The recommended mitigation for CVE-2026-6429 is to upgrade to cURL version 8.19.1 or later, which contains the fix. If upgrading is not immediately feasible, consider disabling HTTP redirects or restricting the use of .netrc files in environments where this vulnerability poses a significant risk. As a temporary workaround, carefully review and restrict the domains that cURL is allowed to access, limiting the potential for redirection to malicious sites. After upgrading, verify the fix by attempting a transfer with a redirect and confirming that the password is not exposed in the redirected request.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice a la versión 8.19.1 o posterior para evitar la fuga de credenciales. Este problema se produce al usar un archivo .netrc y seguir redirecciones HTTP, por lo que es importante aplicar la actualización lo antes posible para proteger la información confidencial.
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2026-6429 — Credentials Leak in cURL?
CVE-2026-6429 is a vulnerability in cURL versions 8.12.0 through 8.19.0 where passwords from .netrc files can be leaked during HTTP redirects, potentially exposing credentials to attackers.
Am I affected by CVE-2026-6429 in cURL?
You are affected if you are using cURL versions 8.12.0 through 8.19.0 and your application uses both .netrc files for authentication and follows HTTP redirects.
How do I fix CVE-2026-6429 in cURL?
Upgrade to cURL version 8.19.1 or later to resolve the vulnerability. As a temporary workaround, disable HTTP redirects or restrict .netrc file usage.
Is CVE-2026-6429 being actively exploited?
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-6429, but monitoring is advised.
Where can I find the official cURL advisory for CVE-2026-6429?
Refer to the official cURL security advisories on the cURL website for the latest information and updates regarding CVE-2026-6429: https://curl.se/security/
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अभी आज़माएँ — no खाता
scanZone.subtitle
अपनी डिपेंडेंसी फ़ाइल ड्रैग और ड्रॉप करें
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...