CVE-2026-3783 - Vulnerability Details

Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a redirect to a second URL, curl could leak that token to the second
hostname under some circumstances.

If the hostname that the first request is redirected to has information in the
used .netrc file, with either of the `machine` or `default` keywords, curl
would pass on the bearer token set for the first host also to the second one.

Published: 2026-03-11

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

When curl performs an HTTP(S) transfer using an OAuth2 bearer token and that transfer follows a redirect to a second URL, the client may inadvertently transmit the bearer token to the second host. Because curl associates the token with the original hostname, if the redirected-to hostname matches an entry in the user’s .netrc file (via the `machine` or `default` keyword), that token is added to the request for the second service. This results in accidental exposure of the bearer token, which can be used by an attacker to impersonate the user on a different service. The vulnerability is classified under CWE‑201 (Information Exposure) and CWE‑522 (Insufficiently Protected Credentials).

Affected Systems

Affected product: Haxx’s curl library (denoted by cpe:2.3:a:haxx:curl). No specific version information is supplied in the current data set; users should consult the vendor advisories for patch details.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to control or influence the redirect URL that points to a hostname containing .netrc credentials while the client is making a bearer‑token request to the original host. The likely attack vector is a malicious redirect or misconfiguration that causes curl to forward sensitive credentials to an unintended host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

curl

unaffected

Version	Status	Constraints
`8.18.0`	affected	≤ 8.18.0
`8.17.0`	affected	≤ 8.17.0
`8.16.0`	affected	≤ 8.16.0
`8.15.0`	affected	≤ 8.15.0
`8.14.1`	affected	≤ 8.14.1
`8.14.0`	affected	≤ 8.14.0
`8.13.0`	affected	≤ 8.13.0
`8.12.1`	affected	≤ 8.12.1
`8.12.0`	affected	≤ 8.12.0
`8.11.1`	affected	≤ 8.11.1
`8.11.0`	affected	≤ 8.11.0
`8.10.1`	affected	≤ 8.10.1
`8.10.0`	affected	≤ 8.10.0
`8.9.1`	affected	≤ 8.9.1
`8.9.0`	affected	≤ 8.9.0
`8.8.0`	affected	≤ 8.8.0
`8.7.1`	affected	≤ 8.7.1
`8.7.0`	affected	≤ 8.7.0
`8.6.0`	affected	≤ 8.6.0
`8.5.0`	affected	≤ 8.5.0
`8.4.0`	affected	≤ 8.4.0
`8.3.0`	affected	≤ 8.3.0
`8.2.1`	affected	≤ 8.2.1
`8.2.0`	affected	≤ 8.2.0
`8.1.2`	affected	≤ 8.1.2
`8.1.1`	affected	≤ 8.1.1
`8.1.0`	affected	≤ 8.1.0
`8.0.1`	affected	≤ 8.0.1
`8.0.0`	affected	≤ 8.0.0
`7.88.1`	affected	≤ 7.88.1
`7.88.0`	affected	≤ 7.88.0
`7.87.0`	affected	≤ 7.87.0
`7.86.0`	affected	≤ 7.86.0
`7.85.0`	affected	≤ 7.85.0
`7.84.0`	affected	≤ 7.84.0
`7.83.1`	affected	≤ 7.83.1
`7.83.0`	affected	≤ 7.83.0
`7.82.0`	affected	≤ 7.82.0
`7.81.0`	affected	≤ 7.81.0
`7.80.0`	affected	≤ 7.80.0
`7.79.1`	affected	≤ 7.79.1
`7.79.0`	affected	≤ 7.79.0
`7.78.0`	affected	≤ 7.78.0
`7.77.0`	affected	≤ 7.77.0
`7.76.1`	affected	≤ 7.76.1
`7.76.0`	affected	≤ 7.76.0
`7.75.0`	affected	≤ 7.75.0
`7.74.0`	affected	≤ 7.74.0
`7.73.0`	affected	≤ 7.73.0
`7.72.0`	affected	≤ 7.72.0
`7.71.1`	affected	≤ 7.71.1
`7.71.0`	affected	≤ 7.71.0
`7.70.0`	affected	≤ 7.70.0
`7.69.1`	affected	≤ 7.69.1
`7.69.0`	affected	≤ 7.69.0
`7.68.0`	affected	≤ 7.68.0
`7.67.0`	affected	≤ 7.67.0
`7.66.0`	affected	≤ 7.66.0
`7.65.3`	affected	≤ 7.65.3
`7.65.2`	affected	≤ 7.65.2
`7.65.1`	affected	≤ 7.65.1
`7.65.0`	affected	≤ 7.65.0
`7.64.1`	affected	≤ 7.64.1
`7.64.0`	affected	≤ 7.64.0
`7.63.0`	affected	≤ 7.63.0
`7.62.0`	affected	≤ 7.62.0
`7.61.1`	affected	≤ 7.61.1
`7.61.0`	affected	≤ 7.61.0
`7.60.0`	affected	≤ 7.60.0
`7.59.0`	affected	≤ 7.59.0
`7.58.0`	affected	≤ 7.58.0
`7.57.0`	affected	≤ 7.57.0
`7.56.1`	affected	≤ 7.56.1
`7.56.0`	affected	≤ 7.56.0
`7.55.1`	affected	≤ 7.55.1
`7.55.0`	affected	≤ 7.55.0
`7.54.1`	affected	≤ 7.54.1
`7.54.0`	affected	≤ 7.54.0
`7.53.1`	affected	≤ 7.53.1
`7.53.0`	affected	≤ 7.53.0
`7.52.1`	affected	≤ 7.52.1
`7.52.0`	affected	≤ 7.52.0
`7.51.0`	affected	≤ 7.51.0
`7.50.3`	affected	≤ 7.50.3
`7.50.2`	affected	≤ 7.50.2
`7.50.1`	affected	≤ 7.50.1
`7.50.0`	affected	≤ 7.50.0
`7.49.1`	affected	≤ 7.49.1
`7.49.0`	affected	≤ 7.49.0
`7.48.0`	affected	≤ 7.48.0
`7.47.1`	affected	≤ 7.47.1
`7.47.0`	affected	≤ 7.47.0
`7.46.0`	affected	≤ 7.46.0
`7.45.0`	affected	≤ 7.45.0
`7.44.0`	affected	≤ 7.44.0
`7.43.0`	affected	≤ 7.43.0
`7.42.1`	affected	≤ 7.42.1
`7.42.0`	affected	≤ 7.42.0
`7.41.0`	affected	≤ 7.41.0
`7.40.0`	affected	≤ 7.40.0
`7.39.0`	affected	≤ 7.39.0
`7.38.0`	affected	≤ 7.38.0
`7.37.1`	affected	≤ 7.37.1
`7.37.0`	affected	≤ 7.37.0
`7.36.0`	affected	≤ 7.36.0
`7.35.0`	affected	≤ 7.35.0
`7.34.0`	affected	≤ 7.34.0
`7.33.0`	affected	≤ 7.33.0

Configuration 1 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Curl

100%

Version	Status	Scheme	Platform
`8.18.0`	affected	semver	—
`8.17.0`	affected	semver	—
`8.16.0`	affected	semver	—
`8.15.0`	affected	semver	—
`8.14.1`	affected	semver	—
`8.14.0`	affected	semver	—
`8.13.0`	affected	semver	—
`8.12.1`	affected	semver	—
`8.12.0`	affected	semver	—
`8.11.1`	affected	semver	—
`8.11.0`	affected	semver	—
`8.10.1`	affected	semver	—
`8.10.0`	affected	semver	—
`8.9.1`	affected	semver	—
`8.9.0`	affected	semver	—
`8.8.0`	affected	semver	—
`8.7.1`	affected	semver	—
`8.7.0`	affected	semver	—
`8.6.0`	affected	semver	—
`8.5.0`	affected	semver	—
`8.4.0`	affected	semver	—
`8.3.0`	affected	semver	—
`8.2.1`	affected	semver	—
`8.2.0`	affected	semver	—
`8.1.2`	affected	semver	—
`8.1.1`	affected	semver	—
`8.1.0`	affected	semver	—
`8.0.1`	affected	semver	—
`8.0.0`	affected	semver	—
`7.88.1`	affected	semver	—
`7.88.0`	affected	semver	—
`7.87.0`	affected	semver	—
`7.86.0`	affected	semver	—
`7.85.0`	affected	semver	—
`7.84.0`	affected	semver	—
`7.83.1`	affected	semver	—
`7.83.0`	affected	semver	—
`7.82.0`	affected	semver	—
`7.81.0`	affected	semver	—
`7.80.0`	affected	semver	—
`7.79.1`	affected	semver	—
`7.79.0`	affected	semver	—
`7.78.0`	affected	semver	—
`7.77.0`	affected	semver	—
`7.76.1`	affected	semver	—
`7.76.0`	affected	semver	—
`7.75.0`	affected	semver	—
`7.74.0`	affected	semver	—
`7.73.0`	affected	semver	—
`7.72.0`	affected	semver	—
`7.71.1`	affected	semver	—
`7.71.0`	affected	semver	—
`7.70.0`	affected	semver	—
`7.69.1`	affected	semver	—
`7.69.0`	affected	semver	—
`7.68.0`	affected	semver	—
`7.67.0`	affected	semver	—
`7.66.0`	affected	semver	—
`7.65.3`	affected	semver	—
`7.65.2`	affected	semver	—
`7.65.1`	affected	semver	—
`7.65.0`	affected	semver	—
`7.64.1`	affected	semver	—
`7.64.0`	affected	semver	—
`7.63.0`	affected	semver	—
`7.62.0`	affected	semver	—
`7.61.1`	affected	semver	—
`7.61.0`	affected	semver	—
`7.60.0`	affected	semver	—
`7.59.0`	affected	semver	—
`7.58.0`	affected	semver	—
`7.57.0`	affected	semver	—
`7.56.1`	affected	semver	—
`7.56.0`	affected	semver	—
`7.55.1`	affected	semver	—
`7.55.0`	affected	semver	—
`7.54.1`	affected	semver	—
`7.54.0`	affected	semver	—
`7.53.1`	affected	semver	—
`7.53.0`	affected	semver	—
`7.52.1`	affected	semver	—
`7.52.0`	affected	semver	—
`7.51.0`	affected	semver	—
`7.50.3`	affected	semver	—
`7.50.2`	affected	semver	—
`7.50.1`	affected	semver	—
`7.50.0`	affected	semver	—
`7.49.1`	affected	semver	—
`7.49.0`	affected	semver	—
`7.48.0`	affected	semver	—
`7.47.1`	affected	semver	—
`7.47.0`	affected	semver	—
`7.46.0`	affected	semver	—
`7.45.0`	affected	semver	—
`7.44.0`	affected	semver	—
`7.43.0`	affected	semver	—
`7.42.1`	affected	semver	—
`7.42.0`	affected	semver	—
`7.41.0`	affected	semver	—
`7.40.0`	affected	semver	—
`7.39.0`	affected	semver	—
`7.38.0`	affected	semver	—
`7.37.1`	affected	semver	—
`7.37.0`	affected	semver	—
`7.36.0`	affected	semver	—
`7.35.0`	affected	semver	—
`7.34.0`	affected	semver	—
`7.33.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update curl to a version that includes a fix for CVE-2026-3783
If upgrading is not immediately possible, configure curl to ignore or disable the .netrc file (e.g., use -n or --netrc-optional) when performing requests that may involve redirects
Avoid using OAuth bearer tokens in contexts that might trigger redirects to hosts with .netrc entries
Check the vendor’s website or security advisories for the latest patch information

Generated by OpenCVE AI on March 16, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8084-1	curl vulnerabilities
Ubuntu USN	USN-8099-1	curl vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/11/2
https://curl.se/docs/CVE-2026-3783.html
https://curl.se/docs/CVE-2026-3783.json
https://hackerone.com/reports/3583983
https://nvd.nist.gov/vuln/detail/CVE-2026-3783
https://www.cve.org/CVERecord?id=CVE-2026-3783

History

Fri, 13 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-201
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3783 https://www.cve.org/CVERecord?id=CVE-2026-3783
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 12 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Haxx Haxx curl
CPEs		cpe:2.3:a:haxx:curl::::::::
Vendors & Products		Haxx Haxx curl

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Curl Curl curl
Vendors & Products		Curl Curl curl

Wed, 11 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-522
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/11/2

Wed, 11 Mar 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.
Title		token leak with redirect and netrc
References		https://curl.se/docs/CVE-2026-3783.html https://curl.se/docs/CVE-2026-3783.json https://hackerone.com/reports/3583983

Subscriptions

Curl Curl

Haxx Curl

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2026-03-11T10:09:08.746Z

Updated: 2026-03-11T14:26:10.788Z

Reserved: 2026-03-08T05:09:09.891Z

Link: CVE-2026-3783

Vulnrichment

Updated: 2026-03-11T10:16:31.282Z

NVD

Status : Analyzed

Published: 2026-03-11T11:16:00.080

Modified: 2026-03-12T14:10:37.300

Link: CVE-2026-3783

Redhat

Severity : Moderate

Publid Date: 2026-03-11T10:09:08Z

Links: CVE-2026-3783 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-20T14:37:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object