CVE-2026-7168 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability arises from improper handling of Proxy-Authorization headers when switching between HTTP proxies. An attacker could potentially leverage this flaw to leak authentication credentials, compromising the security of applications using libcurl. The vulnerability was published on May 13, 2026, and a fix is available in version 8.19.1.
影響と攻撃シナリオ翻訳中…
The core of this vulnerability lies in libcurl's handling of proxy authentication headers. When a client connects to proxyA using Digest authentication and then switches to proxyB without properly clearing the previous authentication information, libcurl incorrectly forwards the Proxy-Authorization header intended for proxyA to proxyB. This allows an attacker controlling proxyA to potentially eavesdrop on or manipulate traffic destined for proxyB, even if proxyB uses a different authentication scheme or has stricter security policies. The potential impact includes unauthorized access to resources behind proxyB, data exfiltration, and man-in-the-middle attacks. While not a direct remote code execution vulnerability, the header leakage can be a stepping stone for further exploitation.
悪用の状況翻訳中…
Currently, there is no public proof-of-concept (POC) code available for CVE-2026-7168. The vulnerability's exploitation probability is assessed as low to medium, given the technical complexity of orchestrating the proxy switching scenario. It is not listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. The NVD and CISA databases will be updated as more information becomes available.
脅威インテリジェンス
エクスプロイト状況
EPSS
0.03% (10% パーセンタイル)
影響を受けるソフトウェア
弱点分類 (CWE)
タイムライン
- 予約済み
- 公開日
- EPSS 更新日
緩和策と回避策翻訳中…
The primary mitigation for CVE-2026-7168 is to upgrade to libcurl version 8.19.1 or later. This version includes a fix that correctly handles proxy header transitions, preventing the unauthorized forwarding of authentication credentials. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling Digest authentication or restricting the use of multiple proxies within the same libcurl handle. Additionally, review your application's proxy configuration to ensure that sensitive information is not inadvertently exposed. After upgrading, confirm the fix by testing proxy switching scenarios and verifying that the Proxy-Authorization header is not being incorrectly passed to subsequent proxies.
修正方法翻訳中…
Actualice a la versión 8.19.1 o posterior de libcurl para evitar la fuga de estado de autenticación Digest. Esta vulnerabilidad permite que la información de autenticación de un proxy se transmita incorrectamente a otro proxy, lo que podría comprometer la seguridad de las comunicaciones.
よくある質問翻訳中…
What is CVE-2026-7168 — Proxy Header Leak in libcurl?
CVE-2026-7168 is a vulnerability in libcurl where incorrect handling of proxy headers can lead to authentication credentials being leaked to unintended proxies. This affects versions 8.12.0–8.19.0 and allows potential information disclosure.
Am I affected by CVE-2026-7168 in libcurl?
You are affected if you are using libcurl versions 8.12.0 through 8.19.0 and your application utilizes HTTP proxies with Digest authentication. Check your libcurl version and proxy configurations to determine your risk level.
How do I fix CVE-2026-7168 in libcurl?
Upgrade to libcurl version 8.19.1 or later to resolve the vulnerability. If upgrading is not immediately possible, consider temporary workarounds like disabling Digest authentication or restricting proxy usage.
Is CVE-2026-7168 being actively exploited?
Currently, there are no public reports of CVE-2026-7168 being actively exploited, but it's crucial to apply the fix or implement workarounds to mitigate potential risks.
Where can I find the official libcurl advisory for CVE-2026-7168?
Refer to the official libcurl project website and security mailing lists for the latest information and advisories regarding CVE-2026-7168: https://curl.se/security/
今すぐ試す — アカウント不要
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
依存関係ファイルをドラッグ&ドロップ
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...