Escanear grátis
Análise pendenteCVE-2026-5545

CVE-2026-5545: Connection Reuse Vulnerability in libcurl

Plataforma

c

Componente

curl

Corrigido em

8.19.1

Ver no NVD
Salvar

CVE-2026-5545 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability stems from a logical error in connection reuse logic, potentially allowing an attacker to exploit a connection authenticated with different credentials. Successful exploitation could lead to unauthorized access to resources and data. A fix is available in version 8.19.1.

Impacto e Cenários de Ataquetraduzindo…

The core of the vulnerability lies in libcurl's connection pooling mechanism. When an application makes authenticated HTTP(S) requests, libcurl attempts to reuse existing connections to improve performance. However, under specific circumstances involving Negotiate authentication, the code incorrectly reuses a connection authenticated with different credentials. This means an attacker could potentially hijack a connection previously used by a legitimate user, gaining access to resources they shouldn't have. The impact is particularly severe in environments where sensitive data is transmitted over HTTP(S), such as financial transactions or access to private APIs. While the description doesn't explicitly mention it, a successful exploit could lead to session hijacking and unauthorized data modification.

Contexto de Exploraçãotraduzindo…

CVE-2026-5545 was published on May 13, 2026. Its severity is pending evaluation. Currently, there are no publicly known Proof-of-Concept (POC) exploits. It is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS. Given the nature of the vulnerability – improper connection reuse – it's plausible that attackers could develop exploits targeting applications that rely heavily on libcurl for HTTP(S) communication.

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido
CISA KEVNO

EPSS

0.04% (percentil 13%)

Software Afetado

Componentecurl
Fornecedorcurl
Versão mínima8.12.0
Versão máxima8.19.0
Corrigido em8.19.1

Classificação de Fraqueza (CWE)

CWE-305

Linha do tempo

  1. Reservado
  2. Publicada
  3. EPSS atualizado

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation for CVE-2026-5545 is to upgrade to libcurl version 8.19.1 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. One potential workaround is to disable connection reuse entirely, although this will negatively impact performance. Another approach is to carefully review application code to ensure that authentication credentials are properly managed and that connections are not inadvertently reused across different authentication contexts. Monitor libcurl logs for unusual connection activity. After upgrading, confirm the fix by performing authenticated HTTP(S) requests and verifying that connections are not being reused improperly.

Como corrigirtraduzindo…

Actualice a la versión 8.19.1 o posterior para evitar la reutilización incorrecta de conexiones HTTP Negotiate. Esta vulnerabilidad permite que un atacante potencialmente robe credenciales al reutilizar conexiones autenticadas incorrectamente.  Verifique las fuentes oficiales de libcurl para obtener instrucciones de actualización específicas para su sistema operativo.

Perguntas frequentestraduzindo…

What is CVE-2026-5545 — Connection Reuse Vulnerability in libcurl?

CVE-2026-5545 is a vulnerability in libcurl versions 8.12.0–8.19.0 that allows unauthorized connection reuse in HTTP(S) requests after Negotiate authentication, potentially exposing sensitive data.

Am I affected by CVE-2026-5545 in libcurl?

If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected. Check your libcurl version using curl --version.

How do I fix CVE-2026-5545 in libcurl?

Upgrade to libcurl version 8.19.1 or later to resolve this vulnerability. If upgrading is not possible immediately, consider temporary workarounds like disabling connection reuse.

Is CVE-2026-5545 being actively exploited?

Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-5545, but it's crucial to apply the fix proactively.

Where can I find the official libcurl advisory for CVE-2026-5545?

Refer to the libcurl project's security announcements for the official advisory: https://curl.se/security/

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátisBuscar CVEs
ao vivoverificação gratuita

Experimente agora — sem conta

Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.

Escaneamento manualAlertas por Slack/e-mailMonitoramento ContínuoRelatórios de marca branca

Arraste e solte seu arquivo de dependências

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...