CVE-2026-6276 describes a cookie leak vulnerability within libcurl, a widely used library for transferring data with URLs. This flaw allows attackers to potentially leak sensitive cookie information by manipulating HTTP requests. The vulnerability affects versions 8.12.0 through 8.19.0, and a fix is available in version 8.19.1.
影響と攻撃シナリオ翻訳中…
The core of the vulnerability lies in how libcurl handles the Host: header in subsequent HTTP requests. When a custom Host: header is initially set, libcurl stores this information. If a second request is made using the same easy handle but without explicitly setting the Host: header, libcurl incorrectly reuses the stale Host: value from the first request. This can lead to cookies intended for the original host being inadvertently sent with the second request, exposing them to an attacker. The impact is the potential exposure of session cookies, authentication tokens, or other sensitive data transmitted via cookies. Successful exploitation could allow an attacker to impersonate a user or gain unauthorized access to protected resources.
悪用の状況翻訳中…
CVE-2026-6276 was published on May 13, 2026. It is not currently listed on KEV (Knowledge-based Enumeration of Vulnerabilities) or EPSS (Exploit Prediction Scoring System), indicating a low to medium probability of exploitation. No public proof-of-concept (POC) code is currently available. The vulnerability's impact is primarily dependent on the application's reliance on cookies for authentication and session management.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.01% (1% パーセンタイル)
影響を受けるソフトウェア
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2026-6276 is to upgrade to libcurl version 8.19.1 or later. This version contains the fix that correctly handles the Host: header in subsequent requests. If upgrading is not immediately feasible, consider implementing a workaround by explicitly setting the Host: header for every HTTP request made through libcurl, ensuring no stale values are used. Web application firewalls (WAFs) configured to inspect HTTP headers might be able to detect and block suspicious requests exhibiting this pattern, but this is not a substitute for patching. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual cookie behavior in application logs is recommended.
修正方法翻訳中…
Actualice a la versión 8.19.1 o posterior de libcurl para evitar la fuga de cookies. Esta vulnerabilidad ocurre cuando se utiliza un encabezado 'Host' personalizado y se realiza una segunda solicitud sin él, lo que puede llevar a que se utilicen cookies incorrectas.
よくある質問翻訳中…
What is CVE-2026-6276 — Cookie Leak in libcurl?
CVE-2026-6276 is a vulnerability in libcurl versions 8.12.0 through 8.19.0 that allows attackers to potentially leak sensitive cookie information by manipulating HTTP requests. It stems from how libcurl handles the Host header.
Am I affected by CVE-2026-6276 in libcurl?
If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected by this vulnerability. Check your libcurl version using 'curl --version'.
How do I fix CVE-2026-6276 in libcurl?
The recommended fix is to upgrade to libcurl version 8.19.1 or later. If upgrading is not immediately possible, explicitly set the Host header for every HTTP request.
Is CVE-2026-6276 being actively exploited?
As of now, CVE-2026-6276 is not known to be actively exploited. However, the potential for exploitation exists, and proactive patching is recommended.
Where can I find the official libcurl advisory for CVE-2026-6276?
Refer to the libcurl security announcements page for the official advisory: https://curl.se/security/
今すぐ試す — アカウント不要
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...