CVE-2026-6276 describes a cookie leak vulnerability within libcurl, a widely used library for transferring data with URLs. This flaw allows attackers to potentially leak sensitive cookie information by manipulating HTTP requests. The vulnerability affects versions 8.12.0 through 8.19.0, and a fix is available in version 8.19.1.
影响与攻击场景翻译中…
The core of the vulnerability lies in how libcurl handles the Host: header in subsequent HTTP requests. When a custom Host: header is initially set, libcurl stores this information. If a second request is made using the same easy handle but without explicitly setting the Host: header, libcurl incorrectly reuses the stale Host: value from the first request. This can lead to cookies intended for the original host being inadvertently sent with the second request, exposing them to an attacker. The impact is the potential exposure of session cookies, authentication tokens, or other sensitive data transmitted via cookies. Successful exploitation could allow an attacker to impersonate a user or gain unauthorized access to protected resources.
利用背景翻译中…
CVE-2026-6276 was published on May 13, 2026. It is not currently listed on KEV (Knowledge-based Enumeration of Vulnerabilities) or EPSS (Exploit Prediction Scoring System), indicating a low to medium probability of exploitation. No public proof-of-concept (POC) code is currently available. The vulnerability's impact is primarily dependent on the application's reliance on cookies for authentication and session management.
威胁情报
漏洞利用状态
EPSS
0.01% (1% 百分位)
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2026-6276 is to upgrade to libcurl version 8.19.1 or later. This version contains the fix that correctly handles the Host: header in subsequent requests. If upgrading is not immediately feasible, consider implementing a workaround by explicitly setting the Host: header for every HTTP request made through libcurl, ensuring no stale values are used. Web application firewalls (WAFs) configured to inspect HTTP headers might be able to detect and block suspicious requests exhibiting this pattern, but this is not a substitute for patching. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual cookie behavior in application logs is recommended.
修复方法翻译中…
Actualice a la versión 8.19.1 o posterior de libcurl para evitar la fuga de cookies. Esta vulnerabilidad ocurre cuando se utiliza un encabezado 'Host' personalizado y se realiza una segunda solicitud sin él, lo que puede llevar a que se utilicen cookies incorrectas.
常见问题翻译中…
What is CVE-2026-6276 — Cookie Leak in libcurl?
CVE-2026-6276 is a vulnerability in libcurl versions 8.12.0 through 8.19.0 that allows attackers to potentially leak sensitive cookie information by manipulating HTTP requests. It stems from how libcurl handles the Host header.
Am I affected by CVE-2026-6276 in libcurl?
If you are using libcurl versions 8.12.0 through 8.19.0, you are potentially affected by this vulnerability. Check your libcurl version using 'curl --version'.
How do I fix CVE-2026-6276 in libcurl?
The recommended fix is to upgrade to libcurl version 8.19.1 or later. If upgrading is not immediately possible, explicitly set the Host header for every HTTP request.
Is CVE-2026-6276 being actively exploited?
As of now, CVE-2026-6276 is not known to be actively exploited. However, the potential for exploitation exists, and proactive patching is recommended.
Where can I find the official libcurl advisory for CVE-2026-6276?
Refer to the libcurl security announcements page for the official advisory: https://curl.se/security/
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...