curl (libcurl), Improper Authentication, CVE-2026-3784 (Low)

Listen to this Post

The vulnerability stems from a flaw in libcurl’s connection reuse logic when communicating with HTTP proxies that require authentication. When a connection to a proxy is established using the CONNECT method, it creates a tunnel, typically for HTTPS traffic. libcurl maintains a cache of these connections for performance reasons. The error occurs in the function responsible for matching an existing connection to a new request. Specifically, the matching logic compares the proxy’s type, host, and port but fails to compare the proxy username and password . Therefore, if a shared connection cache is used (via `CURLSH` and CURL_LOCK_DATA_CONNECT), a subsequent transfer that specifies different, or even invalid, proxy credentials can incorrectly reuse an existing CONNECT tunnel that was authenticated with a different set of valid credentials . This means a request intended to use “bad:bad” credentials can be sent over a tunnel originally set up with “good:good” credentials, effectively bypassing the proxy authentication policy for that second request . The proxy server only ever sees the first successful CONNECT request. This issue affects libcurl versions from 7.7 up to and including 8.18.0 and was fixed in version 8.19.0 .

dailycve form:

Platform: curl / libcurl
Version: 7.7 to 8.18.0
Vulnerability : Proxy credential reuse
Severity: Low (Medium context)
date: 2026-03-11

Prediction: Patch already available (8.19.0)

What Undercode Say:

Analytics

The vulnerability is present in code handling HTTP proxy CONNECT tunnels within the connection cache.
The root cause is in `url_match_proxy_use()` calling proxy_info_matches(), which omits a credential comparison .
Exploitation requires a shared connection cache (CURLSHOPT_SHARE with CURL_LOCK_DATA_CONNECT) .
The flaw allows a request with incorrect proxy credentials to succeed by reusing an authenticated tunnel .
The official patch is included in the curl 8.19.0 release .
The vulnerability was reported via HackerOne on March 4, 2026 .
Public disclosure and CVE assignment occurred on March 11, 2026 .

Exploit:

This is a conceptual demonstration of the flaw.
It assumes a proxy (localhost:8080) requiring authentication and a target server.
1. Start a test proxy that logs credentials (e.g., using a simple Python script).
2. Compile a small C program using libcurl with a shared connection cache.
Or, hypothetically, if the curl tool itself could share a cache this would work.
The following curl commands demonstrate the intended failure without the cache.
Transfer 1: Uses correct credentials, should succeed.
curl -v -x http://proxy:8080 --proxy-user good:good https://example.com
Transfer 2: Uses incorrect credentials.
In a vulnerable, non-shared context, this fails with 407 Proxy Auth Required.
curl -v -x http://proxy:8080 --proxy-user bad:bad https://example.com
In a vulnerable shared cache context (like a daemon), the second command
would succeed because libcurl would reuse the tunnel from the first command,
never sending the "bad:bad" credentials to the proxy.

Protection from this CVE

Upgrade to curl/libcurl version 8.19.0 or later .

Apply the official patch if an immediate upgrade to 8.19.0 is not feasible .
As a workaround, avoid using a shared connection cache (CURLSH) in multi-tenant applications where different proxy credentials are used .
Disable HTTP proxy keep-alive or connection reuse if strict per-request authentication is required.

Impact

Bypass of HTTP proxy authentication policies .

In multi-tenant architectures or daemon services using a shared pool, a request can be executed under a more privileged proxy identity than intended .
Potential for unauthorized access to proxied resources that rely on the authenticated proxy user for access control decisions .
The primary risk is authentication and authorization bypass, not remote code execution .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top