{"id":"CURL-CVE-2026-12064","summary":"proto-default skips SSH verification","details":"When a user invokes curl using a schemeless URL combined with\n`--proto-default` sftp (or scp), a disconnect occurs between the tool layer\nand libcurl. The tool layer incorrectly infers the URL scheme, which\nerroneously bypasses the initialization of critical SSH security options like\nCURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS. Conversely, the\nlibcurl runtime successfully honors CURLOPT_DEFAULT_PROTOCOL and establishes\nthe connection via SFTP/SCP as specified. Because the tool layer skipped the\nsecurity configuration, these SSH host verification options are silently\nomitted, causing curl to connect to an unverified SSH remote host without\nthrowing an error.","aliases":["CVE-2026-12064"],"modified":"2026-06-24T08:07:07.622902Z","published":"2026-06-24T08:00:00Z","database_specific":{"CWE":{"desc":"Improper Validation of Certificate with Host Mismatch","id":"CWE-297"},"last_affected":"8.20.0","affects":"tool","www":"https://curl.se/docs/CVE-2026-12064.html","severity":"Low","URL":"https://curl.se/docs/CVE-2026-12064.json","package":"curl","issue":"https://hackerone.com/reports/3797526"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.81.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"18270893abdb19f0ca170c118f8a2847dbd304be"},{"fixed":"ab3bb8cd8be8f9d4acb97da0418abc279182041e"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","rc-8_21_0-2","rc-8_21_0-1","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0","curl-8_14_1","curl-8_14_0","curl-8_13_0","curl-8_12_1","curl-8_12_0","curl-8_11_1","curl-8_11_0","curl-8_10_1","curl-8_10_0","curl-8_9_1","curl-8_9_0","curl-8_8_0","curl-8_7_1","curl-8_7_0","curl-8_6_0","curl-8_5_0","tiny-curl-8_4_0","curl-8_4_0","curl-8_3_0","curl-8_2_1","curl-8_2_0","curl-8_1_2","curl-8_1_1","curl-8_1_0","curl-8_0_1","curl-8_0_0","curl-7_88_1","curl-7_88_0","curl-7_87_0","curl-7_86_0","curl-7_85_0","curl-7_84_0","curl-7_83_1","curl-7_83_0","curl-7_82_0","curl-7_81_0"],"database_specific":{"vanir_signatures_modified":"2026-06-24T08:07:07Z","vanir_signatures":[{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/ab3bb8cd8be8f9d4acb97da0418abc279182041e","target":{"function":"url_proto_and_rewrite","file":"src/config2setopts.c"},"deprecated":false,"digest":{"function_hash":"93882114240828177653085948016490702110","length":1136},"signature_type":"Function","id":"CURL-CVE-2026-12064-b3eb1e8d"},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/ab3bb8cd8be8f9d4acb97da0418abc279182041e","target":{"file":"src/config2setopts.c"},"deprecated":false,"digest":{"line_hashes":["140522849194369262228739833591374391075","47558339863403131453033268292745221021","15975670465097192282932354355781322912","220902106392793621708295317072227537429","198975573407202876764184453290488326371","3746734021152446245522935287251443430","170664250380509585141008070840604764918","161765996811876613295849122885315630101","5374207038386086385366965339124772674","261071834960052502162471400348777792193","315214669734780166251393141450779423952","11348971201187702211989874254882715935","304598240625625498609896974683940486911","176332074864481965282682475802544330239","61413842227513765548216582872062936189","152095212190975018695576316498032629201","12824638474895083873042971640073707981","147131897269297204095220721174340290043","201687314332511709623400018059706721695","304787371272254069598680308305763126609","293436386607034365026241199574672026404","169057705388842471260387887033403810014","136995815859804498330318491255401917183","48843095567586818894551844502984755450","119204995110705058858166647734024530825"],"threshold":0.9},"signature_type":"Line","id":"CURL-CVE-2026-12064-d5619c82"}],"source":"https://curl.se/docs/CURL-CVE-2026-12064.json"}}],"schema_version":"1.7.5","credits":[{"name":"alienowo on hackerone (AntAISecurityLab)","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}