Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-9079

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

View on NVD

Analysis

A critical vulnerability in libcurl (curl) fails to properly clear proxy authentication credentials, allowing them to be leaked or reused in subsequent transfers. Given curl's near-universal use in backend and mobile development, this could lead to unauthorized session access or credential exposure across many applications.

Relevant roles

BackendCyberSecurityLinuxCC++Php

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH

EPSS

Probability of exploitation (next 30 days): 0.0025 (0.3%)
Percentile: 16.2%
EPSS: 2026-07-06

Technical description

libcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.

Published: 7/3/2026, 7:16:25 AM
Last modified: 7/6/2026, 6:20:47 PM

References

HomeEventsBlogResourcesTeam