{"id":"CURL-CVE-2026-6276","summary":"stale custom cookie host causes cookie leak","details":"Using libcurl, when a custom `Host:` header is first set for an HTTP request\nand a second request is subsequently done using the same *easy handle* but\nwithout the custom `Host:` header set, the second request would use stale\ninformation and pass on cookies meant for the first host in the second\nrequest. Leak them.","aliases":["CVE-2026-6276"],"modified":"2026-04-29T14:05:08.676955Z","published":"2026-04-29T08:00:00Z","database_specific":{"last_affected":"8.19.0","severity":"Low","issue":"https://hackerone.com/reports/3671818","package":"curl","CWE":{"id":"CWE-346","desc":"Origin Validation Error"},"www":"https://curl.se/docs/CVE-2026-6276.html","URL":"https://curl.se/docs/CVE-2026-6276.json","affects":"lib"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.71.0"},{"fixed":"8.20.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"e15e51384a423be31318b3c9c7d612a1aae661fd"},{"fixed":"3a19987a87f393d9394fe5acc7643f6c263c92db"}]}],"versions":["8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0"],"database_specific":{"vanir_signatures_modified":"2026-04-29T14:05:08Z","vanir_signatures":[{"deprecated":false,"digest":{"length":1414,"function_hash":"87592061230657955318981218133684999975"},"signature_type":"Function","target":{"function":"http_header_s","file":"lib/http.c"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-0ac65ced"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["171988240512984612269587551632163038571","75389831611962138348117264801186539779","73309598378597236808913704521649040122","309646044060919705357756477712025259850"]},"signature_type":"Line","target":{"file":"lib/request.c"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-0ffe0f69"},{"deprecated":false,"digest":{"length":1702,"function_hash":"32051988689081819522737095878233749408"},"signature_type":"Function","target":{"function":"http_cookies","file":"lib/http.c"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-11ff6443"},{"deprecated":false,"digest":{"length":2418,"function_hash":"302147203344973433846057051405572447583"},"signature_type":"Function","target":{"function":"Curl_close","file":"lib/url.c"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-2729c5da"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["174911612641010941780281456357795994083","182851755633630007462614611881954198795","264369094720985994471578876087369011512","223266319994001853435859657481562263016"]},"signature_type":"Line","target":{"file":"lib/request.h"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-4f4a3478"},{"deprecated":false,"digest":{"length":1808,"function_hash":"305791396478226075161736883888702136045"},"signature_type":"Function","target":{"function":"http_set_aptr_host","file":"lib/http.c"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-5741a933"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["283982150811995305986753465288461254359","13272546088090968712004108453229921672","167426382410054945077929403440748535987","30112886187398335960284659399942913113","89959965356516376283576457035109926291","65012684279830032400373560626778044514","277638126568657774373486091485254830257","16357392304951050524263955452404846358","98648851675095774467569604512276434063","211464355238834856707255458651466173398","100175197604038361224512095789956406932","109730848940614471037942941140006037492","140193860686819141126457796534230004668","286575543071640766658936213512709959211","46397033835876317614014667242428368194","243253942449659807455321154521747228966","165774944775710093316824606978267144930","258653442541979759167112828639262956820","192064049689208402819665008320946912087"]},"signature_type":"Line","target":{"file":"lib/http.c"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-64949095"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["254921028774265211208121895098925147474","304514420562509900711684113576259828185","254392577978580508779840959026138582541","222543298672355698477439219408390343716"]},"signature_type":"Line","target":{"file":"lib/url.c"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-bd4dcaea"},{"deprecated":false,"digest":{"length":1532,"function_hash":"53635957160524668241827803467331392725"},"signature_type":"Function","target":{"function":"Curl_req_hard_reset","file":"lib/request.c"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-c0002ed9"},{"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["47901756535975908674893528439717975135","117783477264053496164275795880668466993","5957519917623989520335370390434225490","189490742605084598927439303412946635010","52306912415285677421639882584265520515","174420618053987917779352372379083604925"]},"signature_type":"Line","target":{"file":"lib/urldata.h"},"source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","signature_version":"v1","id":"CURL-CVE-2026-6276-ebf2e4e4"}],"source":"https://curl.se/docs/CURL-CVE-2026-6276.json"}}],"schema_version":"1.7.5","credits":[{"name":"Muhamad Arga Reksapati","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}