Escanear grátis
Análise pendenteCVE-2026-7168

CVE-2026-7168: Proxy Header Leak in libcurl

Plataforma

c

Componente

curl

Corrigido em

8.19.1

Ver no NVD
Salvar

CVE-2026-7168 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability arises from improper handling of Proxy-Authorization headers when switching between HTTP proxies. An attacker could potentially leverage this flaw to leak authentication credentials, compromising the security of applications using libcurl. The vulnerability was published on May 13, 2026, and a fix is available in version 8.19.1.

Impacto e Cenários de Ataquetraduzindo…

The core of this vulnerability lies in libcurl's handling of proxy authentication headers. When a client connects to proxyA using Digest authentication and then switches to proxyB without properly clearing the previous authentication information, libcurl incorrectly forwards the Proxy-Authorization header intended for proxyA to proxyB. This allows an attacker controlling proxyA to potentially eavesdrop on or manipulate traffic destined for proxyB, even if proxyB uses a different authentication scheme or has stricter security policies. The potential impact includes unauthorized access to resources behind proxyB, data exfiltration, and man-in-the-middle attacks. While not a direct remote code execution vulnerability, the header leakage can be a stepping stone for further exploitation.

Contexto de Exploraçãotraduzindo…

Currently, there is no public proof-of-concept (POC) code available for CVE-2026-7168. The vulnerability's exploitation probability is assessed as low to medium, given the technical complexity of orchestrating the proxy switching scenario. It is not listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. The NVD and CISA databases will be updated as more information becomes available.

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido
CISA KEVNO

EPSS

0.03% (percentil 10%)

Software Afetado

Componentecurl
Fornecedorcurl
Versão mínima8.12.0
Versão máxima8.19.0
Corrigido em8.19.1

Classificação de Fraqueza (CWE)

CWE-294

Linha do tempo

  1. Reservado
  2. Publicada
  3. EPSS atualizado

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation for CVE-2026-7168 is to upgrade to libcurl version 8.19.1 or later. This version includes a fix that correctly handles proxy header transitions, preventing the unauthorized forwarding of authentication credentials. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling Digest authentication or restricting the use of multiple proxies within the same libcurl handle. Additionally, review your application's proxy configuration to ensure that sensitive information is not inadvertently exposed. After upgrading, confirm the fix by testing proxy switching scenarios and verifying that the Proxy-Authorization header is not being incorrectly passed to subsequent proxies.

Como corrigirtraduzindo…

Actualice a la versión 8.19.1 o posterior de libcurl para evitar la fuga de estado de autenticación Digest. Esta vulnerabilidad permite que la información de autenticación de un proxy se transmita incorrectamente a otro proxy, lo que podría comprometer la seguridad de las comunicaciones.

Perguntas frequentestraduzindo…

What is CVE-2026-7168 — Proxy Header Leak in libcurl?

CVE-2026-7168 is a vulnerability in libcurl where incorrect handling of proxy headers can lead to authentication credentials being leaked to unintended proxies. This affects versions 8.12.0–8.19.0 and allows potential information disclosure.

Am I affected by CVE-2026-7168 in libcurl?

You are affected if you are using libcurl versions 8.12.0 through 8.19.0 and your application utilizes HTTP proxies with Digest authentication. Check your libcurl version and proxy configurations to determine your risk level.

How do I fix CVE-2026-7168 in libcurl?

Upgrade to libcurl version 8.19.1 or later to resolve the vulnerability. If upgrading is not immediately possible, consider temporary workarounds like disabling Digest authentication or restricting proxy usage.

Is CVE-2026-7168 being actively exploited?

Currently, there are no public reports of CVE-2026-7168 being actively exploited, but it's crucial to apply the fix or implement workarounds to mitigate potential risks.

Where can I find the official libcurl advisory for CVE-2026-7168?

Refer to the official libcurl project website and security mailing lists for the latest information and advisories regarding CVE-2026-7168: https://curl.se/security/

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátisBuscar CVEs
ao vivoverificação gratuita

Experimente agora — sem conta

Faça upload de qualquer manifesto (composer.lock, package-lock.json, lista de plugins WordPress…) ou cole sua lista de componentes. Receba um relatório de vulnerabilidades instantaneamente. Fazer upload de um arquivo é só o começo: com uma conta, você obtém monitoramento contínuo, alertas por Slack/email, relatórios multiprojeto e white-label.

Escaneamento manualAlertas por Slack/e-mailMonitoramento ContínuoRelatórios de marca branca

Arraste e solte seu arquivo de dependências

composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...