このページはまだあなたの言語に翻訳されていません。翻訳作業中のため、英語でコンテンツを表示しています。
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-6429 is a security vulnerability affecting cURL versions 8.12.0 through 8.19.0. This issue arises when cURL is configured to use a .netrc file for authentication and simultaneously follows HTTP redirects. Under specific conditions, the password used for the initial host can be inadvertently leaked to the redirected host, compromising sensitive credentials.
影響と攻撃シナリオ翻訳中…
The primary impact of CVE-2026-6429 is the potential for credential leakage. An attacker who can control the HTTP redirect destination can trick cURL into sending the initial host's password to a malicious server. This could lead to unauthorized access to systems and data protected by those credentials. The blast radius depends on the sensitivity of the credentials stored in the .netrc file and the permissions associated with the affected cURL instances. This vulnerability shares similarities with other authentication bypass vulnerabilities where improper handling of credentials can lead to privilege escalation or data exfiltration.
悪用の状況翻訳中…
CVE-2026-6429 was published on May 13, 2026. The EPSS score is pending evaluation. Currently, there are no publicly available proof-of-concept exploits. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.02% (4% パーセンタイル)
影響を受けるソフトウェア
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- EPSS 更新日
緩和策と回避策翻訳中…
The recommended mitigation for CVE-2026-6429 is to upgrade to cURL version 8.19.1 or later, which contains the fix. If upgrading is not immediately feasible, consider disabling HTTP redirects or restricting the use of .netrc files in environments where this vulnerability poses a significant risk. As a temporary workaround, carefully review and restrict the domains that cURL is allowed to access, limiting the potential for redirection to malicious sites. After upgrading, verify the fix by attempting a transfer with a redirect and confirming that the password is not exposed in the redirected request.
修正方法翻訳中…
Actualice a la versión 8.19.1 o posterior para evitar la fuga de credenciales. Este problema se produce al usar un archivo .netrc y seguir redirecciones HTTP, por lo que es importante aplicar la actualización lo antes posible para proteger la información confidencial.
よくある質問翻訳中…
What is CVE-2026-6429 — Credentials Leak in cURL?
CVE-2026-6429 is a vulnerability in cURL versions 8.12.0 through 8.19.0 where passwords from .netrc files can be leaked during HTTP redirects, potentially exposing credentials to attackers.
Am I affected by CVE-2026-6429 in cURL?
You are affected if you are using cURL versions 8.12.0 through 8.19.0 and your application uses both .netrc files for authentication and follows HTTP redirects.
How do I fix CVE-2026-6429 in cURL?
Upgrade to cURL version 8.19.1 or later to resolve the vulnerability. As a temporary workaround, disable HTTP redirects or restrict .netrc file usage.
Is CVE-2026-6429 being actively exploited?
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-6429, but monitoring is advised.
Where can I find the official cURL advisory for CVE-2026-6429?
Refer to the official cURL security advisories on the cURL website for the latest information and updates regarding CVE-2026-6429: https://curl.se/security/
今すぐ試す — アカウント不要
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...