CVE-2026-7168: Proxy Header Leak in libcurl

The core of this vulnerability lies in libcurl's handling of proxy authentication headers. When a client connects to proxyA using Digest authentication and then switches to proxyB without properly clearing the previous authentication information, libcurl incorrectly forwards the Proxy-Authorization header intended for proxyA to proxyB. This allows an attacker controlling proxyA to potentially eavesdrop on or manipulate traffic destined for proxyB, even if proxyB uses a different authentication scheme or has stricter security policies. The potential impact includes unauthorized access to resources behind proxyB, data exfiltration, and man-in-the-middle attacks. While not a direct remote code execution vulnerability, the header leakage can be a stepping stone for further exploitation.

1. आरक्षित2026-04-27
2. प्रकाशित2026-05-13
3. EPSS अद्यतन2026-05-13

The primary mitigation for CVE-2026-7168 is to upgrade to libcurl version 8.19.1 or later. This version includes a fix that correctly handles proxy header transitions, preventing the unauthorized forwarding of authentication credentials. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling Digest authentication or restricting the use of multiple proxies within the same libcurl handle. Additionally, review your application's proxy configuration to ensure that sensitive information is not inadvertently exposed. After upgrading, confirm the fix by testing proxy switching scenarios and verifying that the Proxy-Authorization header is not being incorrectly passed to subsequent proxies.