CVE-2026-7168 affects versions 8.12.0 through 8.19.0 of libcurl. This vulnerability arises from improper handling of Proxy-Authorization headers when switching between HTTP proxies. An attacker could potentially leverage this flaw to leak authentication credentials, compromising the security of applications using libcurl. The vulnerability was published on May 13, 2026, and a fix is available in version 8.19.1.
影响与攻击场景翻译中…
The core of this vulnerability lies in libcurl's handling of proxy authentication headers. When a client connects to proxyA using Digest authentication and then switches to proxyB without properly clearing the previous authentication information, libcurl incorrectly forwards the Proxy-Authorization header intended for proxyA to proxyB. This allows an attacker controlling proxyA to potentially eavesdrop on or manipulate traffic destined for proxyB, even if proxyB uses a different authentication scheme or has stricter security policies. The potential impact includes unauthorized access to resources behind proxyB, data exfiltration, and man-in-the-middle attacks. While not a direct remote code execution vulnerability, the header leakage can be a stepping stone for further exploitation.
利用背景翻译中…
Currently, there is no public proof-of-concept (POC) code available for CVE-2026-7168. The vulnerability's exploitation probability is assessed as low to medium, given the technical complexity of orchestrating the proxy switching scenario. It is not listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns. The NVD and CISA databases will be updated as more information becomes available.
威胁情报
漏洞利用状态
EPSS
0.03% (10% 百分位)
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The primary mitigation for CVE-2026-7168 is to upgrade to libcurl version 8.19.1 or later. This version includes a fix that correctly handles proxy header transitions, preventing the unauthorized forwarding of authentication credentials. If upgrading is not immediately feasible, consider implementing a temporary workaround by disabling Digest authentication or restricting the use of multiple proxies within the same libcurl handle. Additionally, review your application's proxy configuration to ensure that sensitive information is not inadvertently exposed. After upgrading, confirm the fix by testing proxy switching scenarios and verifying that the Proxy-Authorization header is not being incorrectly passed to subsequent proxies.
修复方法翻译中…
Actualice a la versión 8.19.1 o posterior de libcurl para evitar la fuga de estado de autenticación Digest. Esta vulnerabilidad permite que la información de autenticación de un proxy se transmita incorrectamente a otro proxy, lo que podría comprometer la seguridad de las comunicaciones.
常见问题翻译中…
What is CVE-2026-7168 — Proxy Header Leak in libcurl?
CVE-2026-7168 is a vulnerability in libcurl where incorrect handling of proxy headers can lead to authentication credentials being leaked to unintended proxies. This affects versions 8.12.0–8.19.0 and allows potential information disclosure.
Am I affected by CVE-2026-7168 in libcurl?
You are affected if you are using libcurl versions 8.12.0 through 8.19.0 and your application utilizes HTTP proxies with Digest authentication. Check your libcurl version and proxy configurations to determine your risk level.
How do I fix CVE-2026-7168 in libcurl?
Upgrade to libcurl version 8.19.1 or later to resolve the vulnerability. If upgrading is not immediately possible, consider temporary workarounds like disabling Digest authentication or restricting proxy usage.
Is CVE-2026-7168 being actively exploited?
Currently, there are no public reports of CVE-2026-7168 being actively exploited, but it's crucial to apply the fix or implement workarounds to mitigate potential risks.
Where can I find the official libcurl advisory for CVE-2026-7168?
Refer to the official libcurl project website and security mailing lists for the latest information and advisories regarding CVE-2026-7168: https://curl.se/security/
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...