{"id":"CURL-CVE-2026-7009","summary":"OCSP stapling bypass with Apple SecTrust","details":"When curl is told to use the Certificate Status Request TLS extension, often\nreferred to as *OCSP stapling*, to verify that the server certificate is\nvalid, it fails to detect OCSP problems and instead wrongly consider the\nresponse as fine.","aliases":["CVE-2026-7009"],"modified":"2026-04-29T14:05:08.419817Z","published":"2026-04-29T08:00:00Z","database_specific":{"affects":"both","www":"https://curl.se/docs/CVE-2026-7009.html","issue":"https://hackerone.com/reports/3694390","severity":"Medium","package":"curl","CWE":{"id":"CWE-295","desc":"Improper Certificate Validation"},"URL":"https://curl.se/docs/CVE-2026-7009.json","last_affected":"8.19.0"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.17.0"},{"fixed":"8.20.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"eefd03c572996e5de4dec4fe295ad6f103e0eefc"},{"fixed":"51905671e07f087e28e5741063646c379fe17d89"}]}],"versions":["8.19.0","8.18.0","8.17.0"],"database_specific":{"vanir_signatures":[{"id":"CURL-CVE-2026-7009-10477259","target":{"file":"lib/vtls/openssl.c"},"source":"https://github.com/curl/curl.git/commit/51905671e07f087e28e5741063646c379fe17d89","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["281561516296048034461942107792512658740","130495573668886043558713801524753297430","28032674530989727382368037384118812857","58789915446143880879127277405553830503","196859332260118428262127076906485400635","241720696807293931685546187667992107003","10600314697658732467727494117451947703","277108684260883679066498837699569709972","161630115168354249620100559294369861276","268326472292602632831779513730604275699","77929905525980707375128624556306579873"]},"signature_type":"Line","deprecated":false},{"id":"CURL-CVE-2026-7009-63610a8e","target":{"file":"lib/vtls/openssl.c","function":"ossl_apple_verify"},"source":"https://github.com/curl/curl.git/commit/51905671e07f087e28e5741063646c379fe17d89","signature_version":"v1","digest":{"length":957,"function_hash":"158376452266852961534051614206996832747"},"signature_type":"Function","deprecated":false}],"source":"https://curl.se/docs/CURL-CVE-2026-7009.json","vanir_signatures_modified":"2026-04-29T14:05:08Z"}}],"schema_version":"1.7.5","credits":[{"name":"Carlos Carrillo","type":"FINDER"},{"name":"Stefan Eissing","type":"REMEDIATION_DEVELOPER"}]}