CVE-2026-6253: Proxy Credential Leak in cURL 8.12.0–8.19.0
Platform
curl
Component
curl
Opgelost in
8.19.1
CVE-2026-6253 affects versions of cURL between 8.12.0 and 8.19.0. This vulnerability allows credentials intended for one proxy to be inadvertently passed to a subsequent proxy, potentially exposing sensitive information. The issue arises from how cURL handles redirects between different URL schemes when multiple proxies are configured. A fix is available in cURL 8.19.1.
Impact en Aanvalsscenarioswordt vertaald…
An attacker could exploit this vulnerability by crafting a malicious URL that triggers a redirect from one scheme (e.g., HTTP) to another (e.g., HTTPS), leveraging the configured proxy settings. This would cause cURL to forward the credentials of the first proxy to the second proxy, even if the second proxy does not require authentication. The potential impact is significant, as it could allow an attacker to gain unauthorized access to resources protected by the second proxy, potentially leading to data breaches or system compromise. The blast radius depends on the privileges and access granted by the second proxy. This is particularly concerning in environments with strict proxy authentication policies.
Uitbuitingscontextwordt vertaald…
CVE-2026-6253 was published on 2026-05-13. There is currently no public proof-of-concept (POC) code available. The EPSS score is pending evaluation, indicating the current assessment of exploitability is unknown. Monitor security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
Dreigingsinformatie
Exploit Status
EPSS
0.02% (4% percentiel)
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation is to upgrade to cURL version 8.19.1 or later, which addresses the credential forwarding issue. If upgrading is not immediately feasible, consider implementing stricter proxy authentication policies to minimize the impact of a potential credential leak. Specifically, ensure that all proxies require authentication and that credentials are not inadvertently passed between proxies. Network segmentation can also limit the lateral movement potential if this vulnerability is exploited. Review proxy configurations to ensure proper authentication and authorization policies are in place.
Hoe te verhelpenwordt vertaald…
Actualice a la versión 8.19.1 o superior para evitar la divulgación accidental de credenciales de proxy. Este problema ocurre al seguir redirecciones entre diferentes esquemas de URL cuando se utilizan proxies con y sin credenciales. Asegúrese de que su versión de cURL esté actualizada para mitigar este riesgo.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-6253 — Proxy Credential Leak in cURL?
CVE-2026-6253 is a vulnerability in cURL versions 8.12.0 through 8.19.0 where credentials for a first proxy can be inadvertently passed to a second proxy due to how redirects are handled between different URL schemes. Severity pending evaluation.
Am I affected by CVE-2026-6253 in cURL?
You are affected if you are using cURL versions 8.12.0 to 8.19.0 and have configured multiple proxies with different authentication requirements. Check your cURL version with curl --version.
How do I fix CVE-2026-6253 in cURL?
Upgrade to cURL version 8.19.1 or later to resolve the vulnerability. If immediate upgrade is not possible, review and strengthen proxy authentication policies.
Is CVE-2026-6253 being actively exploited?
Currently, there are no reports of active exploitation or publicly available proof-of-concept code for CVE-2026-6253. However, it's crucial to monitor for updates.
Where can I find the official cURL advisory for CVE-2026-6253?
Refer to the official cURL security advisory for CVE-2026-6253 on the cURL website: https://curl.se/security/.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Probeer het nu — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...