{"id":"CURL-CVE-2026-9079","summary":"stale proxy password leak","details":"libcurl had a flaw that when instructed to clear proxy authentication\ncredentials which made it not do so, leaving the old credentials around to get\nused for subsequent transfers that should not know nor use them.","aliases":["CVE-2026-9079"],"modified":"2026-06-24T14:05:45.202035Z","published":"2026-06-24T08:00:00Z","database_specific":{"CWE":{"desc":"Insufficiently Protected Credentials","id":"CWE-522"},"issue":"https://hackerone.com/reports/3750295","last_affected":"8.20.0","package":"curl","URL":"https://curl.se/docs/CVE-2026-9079.json","www":"https://curl.se/docs/CVE-2026-9079.html","affects":"lib","severity":"Medium"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"8.8.0"},{"fixed":"8.21.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"d5e83eb745762f48d8fafadc5df5dd3ae8d8941e"},{"fixed":"88c7e16cceec816a2df45c899d49b1e85513f193"}]}],"versions":["8.20.0","8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","curl-8_20_0","rc-8_20_0-3","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0","curl-8_14_1","curl-8_14_0","curl-8_13_0","curl-8_12_1","curl-8_12_0","curl-8_11_1","curl-8_11_0","curl-8_10_1","curl-8_10_0","curl-8_9_1","curl-8_9_0","curl-8_8_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2026-9079.json","vanir_signatures":[{"source":"https://github.com/curl/curl.git/commit/88c7e16cceec816a2df45c899d49b1e85513f193","deprecated":false,"target":{"file":"lib/setopt.c","function":"setopt_cptr_proxy"},"id":"CURL-CVE-2026-9079-a6e1475f","signature_type":"Function","digest":{"length":3298,"function_hash":"168585028151243835991960072474819965478"},"signature_version":"v1"},{"source":"https://github.com/curl/curl.git/commit/88c7e16cceec816a2df45c899d49b1e85513f193","deprecated":false,"target":{"file":"lib/setopt.c"},"id":"CURL-CVE-2026-9079-befc3d48","signature_type":"Line","digest":{"line_hashes":["201907121624263517412055040846016692525","130093980200049809120171674846457167074","58013635168143467067474374538820063815","276288106112898693284983216203465450996","43324181074524053230508296889915600609","229180499800345167080719869611143086925","229085348540286290754432530392328657402","174235609601289511659669647822260596764","326018910786740246118855664220576875499","131736690723632290894190285806675464880","329386817036569852960206217203634067544","290360746431318158190314481670118614844","100981296658875490485601069770513651939"],"threshold":0.9},"signature_version":"v1"}],"vanir_signatures_modified":"2026-06-24T14:05:45Z"}}],"schema_version":"1.7.5","credits":[{"name":"Guancheng Li","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}