CVE-2026-6429 is a security vulnerability affecting cURL versions 8.12.0 through 8.19.0. This issue arises when cURL is configured to use a .netrc file for authentication and simultaneously follows HTTP redirects. Under specific conditions, the password used for the initial host can be inadvertently leaked to the redirected host, compromising sensitive credentials.
影响与攻击场景翻译中…
The primary impact of CVE-2026-6429 is the potential for credential leakage. An attacker who can control the HTTP redirect destination can trick cURL into sending the initial host's password to a malicious server. This could lead to unauthorized access to systems and data protected by those credentials. The blast radius depends on the sensitivity of the credentials stored in the .netrc file and the permissions associated with the affected cURL instances. This vulnerability shares similarities with other authentication bypass vulnerabilities where improper handling of credentials can lead to privilege escalation or data exfiltration.
利用背景翻译中…
CVE-2026-6429 was published on May 13, 2026. The EPSS score is pending evaluation. Currently, there are no publicly available proof-of-concept exploits. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
威胁情报
漏洞利用状态
EPSS
0.02% (4% 百分位)
受影响的软件
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The recommended mitigation for CVE-2026-6429 is to upgrade to cURL version 8.19.1 or later, which contains the fix. If upgrading is not immediately feasible, consider disabling HTTP redirects or restricting the use of .netrc files in environments where this vulnerability poses a significant risk. As a temporary workaround, carefully review and restrict the domains that cURL is allowed to access, limiting the potential for redirection to malicious sites. After upgrading, verify the fix by attempting a transfer with a redirect and confirming that the password is not exposed in the redirected request.
修复方法翻译中…
Actualice a la versión 8.19.1 o posterior para evitar la fuga de credenciales. Este problema se produce al usar un archivo .netrc y seguir redirecciones HTTP, por lo que es importante aplicar la actualización lo antes posible para proteger la información confidencial.
常见问题翻译中…
What is CVE-2026-6429 — Credentials Leak in cURL?
CVE-2026-6429 is a vulnerability in cURL versions 8.12.0 through 8.19.0 where passwords from .netrc files can be leaked during HTTP redirects, potentially exposing credentials to attackers.
Am I affected by CVE-2026-6429 in cURL?
You are affected if you are using cURL versions 8.12.0 through 8.19.0 and your application uses both .netrc files for authentication and follows HTTP redirects.
How do I fix CVE-2026-6429 in cURL?
Upgrade to cURL version 8.19.1 or later to resolve the vulnerability. As a temporary workaround, disable HTTP redirects or restrict .netrc file usage.
Is CVE-2026-6429 being actively exploited?
Currently, there are no publicly known active exploitation campaigns targeting CVE-2026-6429, but monitoring is advised.
Where can I find the official cURL advisory for CVE-2026-6429?
Refer to the official cURL security advisories on the cURL website for the latest information and updates regarding CVE-2026-6429: https://curl.se/security/
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...