CVE-2026-4873: TLS Bypass in curl 8.12.0–8.19.0

The primary impact of CVE-2026-4873 is the potential for unencrypted data transmission. An attacker who can control the initial connection to a server (e.g., via an IMAP, SMTP, or POP3 transfer) can then trigger a subsequent request to the same host. Because of the flawed connection pool management, this subsequent request will bypass TLS entirely, sending data unencrypted. This could expose sensitive credentials, personal information, or other confidential data. The blast radius is significant for any system using curl to communicate with servers using these protocols, particularly in automated workflows or scripting environments where connection reuse is common. The risk is amplified in environments where curl is used to access sensitive services like email servers or web APIs.

1. Reserved2026-03-26
2. Publicada2026-05-13

The definitive mitigation for CVE-2026-4873 is to upgrade to curl version 8.19.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Disabling connection reuse within curl configurations (if possible) can reduce the attack surface, although this may impact performance. Network-level firewalls and intrusion detection systems (IDS) can be configured to monitor for unusual traffic patterns, such as cleartext communication over ports typically used for TLS-encrypted connections. Review curl configurations and scripts to identify instances where connection reuse is enabled and assess the potential risk. After upgrading, verify the fix by initiating a cleartext connection followed by a TLS connection to the same host and confirming that the second connection is indeed encrypted.