libcurl, Authentication Bypass, CVE-2026-1965 (Medium)

Listen to this Post

libcurl maintains a pool of network connections to reuse for subsequent requests, avoiding the overhead of creating new connections. When a new HTTP or HTTPS request using Negotiate authentication is made, libcurl searches this pool for an existing connection to the same server that meets specific criteria. Due to a logical error, the connection matching logic fails to properly verify that the credentials associated with a cached connection match the credentials for the new request. Because the Negotiate mechanism can sometimes authenticate the underlying connection itself rather than a specific HTTP request, reusing a connection that was authenticated with different credentials causes the new request to be sent over a channel already authenticated for a previous user. For example, if an application authenticates as ‘user1’ and reuses that connection for a request intended for ‘user2’, the server processes the second request under the security context of ‘user1’. This flaw exists because the code does not adequately isolate connection authentication states when credentials differ. The issue affects all libcurl versions from 7.10.6 up to and including 8.18.0 .

dailycve form:

Platform: curl
Version: 7.10.6-8.18.0
Vulnerability: Authentication bypass
Severity: Medium
date: 2026-03-11

Prediction: Patched 2026-03-11

What Undercode Say:

Analytics

The vulnerability stems from improper connection state isolation in the connection pool. The flaw was introduced in commit e56ae1426cb7a0a4a427cf8d6099a821fdaae428 and fixed in commits 34fa034d9a390c4bd65e2d05262755ec8646ac12 and f1a39f221d57354990e3eeeddc3404aede2aff70 .

Bash/Codes

Check installed curl version
curl --version
Example of forcing a fresh connection to mitigate (temporary workaround)
curl --negotiate -u : --fresh-connect https://example.com/
In code using libcurl, the workaround is to set options:
CURLOPT_FRESH_CONNECT = 1L
Or limit the connection cache:
CURLOPT_MAXCONNECTS = 1L
Git commands to view the fix
git clone https://github.com/curl/curl.git
cd curl
git show 34fa034d9a390c4bd65e2d05262755ec8646ac12
git show f1a39f221d57354990e3eeeddc3404aede2aff70

How Exploit:

An attacker would need to coerce an application into making sequential Negotiate-authenticated requests to the same server using different user credentials while the initial connection remains alive. If the application uses libcurl’s default connection reuse, the second request (for user2) will be sent over the connection authenticated for user1, effectively allowing the attacker to perform actions as user1 without possessing those credentials .

Protection from this CVE

  • Upgrade: Update to libcurl version 8.19.0 or later .
  • Patch: Apply the official patches to versions 7.10.6 through 8.18.0 .
  • Mitigation: If upgrading is not immediately possible, disable connection reuse for Negotiate-authenticated sessions by setting CURLOPT_FRESH_CONNECT, limiting the connection cache with CURLOPT_MAXCONNECTS, or configuring `CURLMOPT_MAX_HOST_CONNECTIONS` .

Impact

A request intended for one set of user credentials can be processed by the server using a different user’s authenticated session. This leads to broken authentication isolation, potential unauthorized access to resources, data exposure, and incorrect audit attribution. The impact is most severe in multi-tenant applications or services that handle requests for multiple users over persistent connections .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top