Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-11856

Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.

View on NVD

Analysis

libcurl has a critical vulnerability where Digest authentication headers are improperly reused across different hosts. If your application reuses libcurl handles for requests to multiple origins, sensitive credentials intended for one server may be leaked to another server.

Relevant roles

BackendCyberSecurityCPhpPythonLinux

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH

EPSS

Probability of exploitation (next 30 days): 0.0025 (0.3%)
Percentile: 16.2%
EPSS: 2026-07-06

Technical description

Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.

Published: 7/3/2026, 7:16:23 AM
Last modified: 7/6/2026, 7:16:54 PM

References

HomeEventsBlogResourcesTeam