{"id":"CURL-CVE-2026-4873","summary":"connection reuse ignores TLS requirement","details":"A vulnerability exists where a connection requiring TLS incorrectly reuses an\nexisting unencrypted connection from the same connection pool. If an initial\ntransfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request\nto that same host bypasses the TLS requirement and instead transmit data\nunencrypted.","aliases":["CVE-2026-4873"],"modified":"2026-04-29T14:05:08.176030Z","published":"2026-04-29T08:00:00Z","database_specific":{"CWE":{"id":"CWE-319","desc":"Cleartext Transmission of Sensitive Information"},"severity":"Low","affects":"both","URL":"https://curl.se/docs/CVE-2026-4873.json","issue":"https://hackerone.com/reports/3621851","last_affected":"8.19.0","package":"curl","www":"https://curl.se/docs/CVE-2026-4873.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.20.0"},{"fixed":"8.20.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"ec3bb8f727405642a471b4b1b9eb0118fc003104"},{"fixed":"507e7be573b0a76fca597b75ff7cb27a66e7d865"}]}],"versions":["8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","7.70.0","7.69.1","7.69.0","7.68.0","7.67.0","7.66.0","7.65.3","7.65.2","7.65.1","7.65.0","7.64.1","7.64.0","7.63.0","7.62.0","7.61.1","7.61.0","7.60.0","7.59.0","7.58.0","7.57.0","7.56.1","7.56.0","7.55.1","7.55.0","7.54.1","7.54.0","7.53.1","7.53.0","7.52.1","7.52.0","7.51.0","7.50.3","7.50.2","7.50.1","7.50.0","7.49.1","7.49.0","7.48.0","7.47.1","7.47.0","7.46.0","7.45.0","7.44.0","7.43.0","7.42.1","7.42.0","7.41.0","7.40.0","7.39.0","7.38.0","7.37.1","7.37.0","7.36.0","7.35.0","7.34.0","7.33.0","7.32.0","7.31.0","7.30.0","7.29.0","7.28.1","7.28.0","7.27.0","7.26.0","7.25.0","7.24.0","7.23.1","7.23.0","7.22.0","7.21.7","7.21.6","7.21.5","7.21.4","7.21.3","7.21.2","7.21.1","7.21.0","7.20.1","7.20.0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2026-4873.json","vanir_signatures_modified":"2026-04-29T14:05:08Z","vanir_signatures":[{"id":"CURL-CVE-2026-4873-432df36b","target":{"file":"lib/url.c","function":"url_match_ssl_use"},"deprecated":false,"signature_type":"Function","source":"https://github.com/curl/curl.git/commit/507e7be573b0a76fca597b75ff7cb27a66e7d865","signature_version":"v1","digest":{"length":399,"function_hash":"169885633457962860362958220457320236532"}},{"id":"CURL-CVE-2026-4873-731b3328","target":{"file":"lib/url.c"},"deprecated":false,"signature_type":"Line","source":"https://github.com/curl/curl.git/commit/507e7be573b0a76fca597b75ff7cb27a66e7d865","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["186702639195371621663220614719413669739","98146386134768362884346766368977077720","144008511706963310545008089099783743644","214623997824184722186061516736204732779","124575361568450278741812246576167336919","105135349804760838859480469610730392589","193100289411074928523858916880171338604","6936524333846488920218514747282650233","276618269211397366230394600852763568259","229942947754903715914943302740058426565","288248169414681199400959167724664616055"]}},{"id":"CURL-CVE-2026-4873-9a7ca877","target":{"file":"lib/url.c","function":"url_attach_existing"},"deprecated":false,"signature_type":"Function","source":"https://github.com/curl/curl.git/commit/507e7be573b0a76fca597b75ff7cb27a66e7d865","signature_version":"v1","digest":{"length":1203,"function_hash":"141979231375931355570407370477556625049"}}]}}],"schema_version":"1.7.5","credits":[{"name":"Arkadi Vainbrand","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}