CVE-2026-7009: OCSP Stapling Flaw in curl 8.17.0–8.19.0

The core of this vulnerability lies in curl's mishandling of OCSP stapling responses. OCSP stapling is designed to provide real-time certificate revocation status, ensuring that clients only connect to valid certificates. CVE-2026-7009 allows an attacker to present a malicious certificate, and curl will incorrectly validate it as legitimate, even if the certificate has been revoked. This opens the door to man-in-the-middle (MITM) attacks, where an attacker can intercept and potentially modify network traffic between the client and the server. The impact is particularly severe for applications that rely on curl for secure communication, such as web browsers, API clients, and automation scripts. Successful exploitation could lead to data breaches, credential theft, and other malicious activities.

1. Reservado2026-04-25
2. Publicada2026-05-13
3. EPSS atualizado2026-05-13

The primary mitigation for CVE-2026-7009 is to upgrade to curl version 8.19.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. While not a complete solution, disabling OCSP stapling can reduce the risk, but it also weakens certificate validation. This can be done by setting the --no-ocs-stapling flag when invoking curl. Monitor network traffic for suspicious activity and consider using a Web Application Firewall (WAF) to detect and block malicious requests. After upgrading, confirm the fix by running curl against a known secure HTTPS endpoint and verifying that certificate validation proceeds as expected.