CVE-2026-5545 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability stems from a logical error in connection reuse logic, potentially allowing an attacker to exploit a connection authenticated with different credentials. Successful exploitation could lead to unauthorized access to resources and data. A fix is available in version 8.19.1.
影响与攻击场景翻译中…
The core of the vulnerability lies in libcurl's connection pooling mechanism. When an application makes authenticated HTTP(S) requests, libcurl attempts to reuse existing connections to improve performance. However, under specific circumstances involving Negotiate authentication, the code incorrectly reuses a connection authenticated with different credentials. This means an attacker could potentially hijack a connection previously used by a legitimate user, gaining access to resources they shouldn't have. The impact is particularly severe in environments where sensitive data is transmitted over HTTP(S), such as financial transactions or access to private APIs. While the description doesn't explicitly mention it, a successful exploit could lead to session hijacking and unauthorized data modification.
利用背景翻译中…
CVE-2026-5545 was published on May 13, 2026. Its severity is pending evaluation. Currently, there are no publicly known Proof-of-Concept (POC) exploits. It is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or EPSS. Given the nature of the vulnerability – improper connection reuse – it's plausible that attackers could develop exploits targeting applications that rely heavily on libcurl for HTTP(S) communication.
威胁情报
漏洞利用状态
EPSS
0.04% (13% 百分位)
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2026-5545 is to upgrade to libcurl version 8.19.1 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. One potential workaround is to disable connection reuse entirely, although this will negatively impact performance. Another approach is to carefully review application code to ensure that authentication credentials are properly managed and that connections are not inadvertently reused across different authentication contexts. Monitor libcurl logs for unusual connection activity. After upgrading, confirm the fix by performing authenticated HTTP(S) requests and verifying that connections are not being reused improperly.
修复方法翻译中…
Actualice a la versión 8.19.1 o posterior para evitar la reutilización incorrecta de conexiones HTTP Negotiate. Esta vulnerabilidad permite que un atacante potencialmente robe credenciales al reutilizar conexiones autenticadas incorrectamente. Verifique las fuentes oficiales de libcurl para obtener instrucciones de actualización específicas para su sistema operativo.
常见问题翻译中…
What is CVE-2026-5545 — Connection Reuse Vulnerability in libcurl?
CVE-2026-5545 is a vulnerability in libcurl versions 8.12.0–8.19.0 that allows unauthorized connection reuse in HTTP(S) requests after Negotiate authentication, potentially exposing sensitive data.
Am I affected by CVE-2026-5545 in libcurl?
If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected. Check your libcurl version using curl --version.
How do I fix CVE-2026-5545 in libcurl?
Upgrade to libcurl version 8.19.1 or later to resolve this vulnerability. If upgrading is not possible immediately, consider temporary workarounds like disabling connection reuse.
Is CVE-2026-5545 being actively exploited?
Currently, there are no publicly known exploits or active campaigns targeting CVE-2026-5545, but it's crucial to apply the fix proactively.
Where can I find the official libcurl advisory for CVE-2026-5545?
Refer to the libcurl project's security announcements for the official advisory: https://curl.se/security/
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...