Description
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
server, even if the new request uses different credentials for the HTTP proxy.
The proper behavior is to create or use a separate connection.
Published: 2026-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential leakage via HTTP proxy reuse
Action: Patch Immediately
AI Analysis

Impact

curl improperly reuses an existing HTTP proxy connection that performed a CONNECT operation, even when subsequent requests use different proxy credentials. This results in the proxy authentication data for one context being sent on a connection that should have been isolated, allowing an attacker to unintentionally expose credentials or bypass authentication controls. The weakness is identified as CWE-305, improper handling of credentials.

Affected Systems

The vulnerability affects all versions of the curl client using the libcurl library, as indicated by the CPE cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:. No specific version range is provided in the CNA data, implying that any version prior to a fixed release is potentially impacted.

Risk and Exploitability

The severity is scored as a CVSS 6.5 (Medium), with an EPSS score of less than 1 % and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is as follows: a skilled attacker that can control or influence the HTTP proxy used by a curl client could cause the client to send authentication credentials intended for a different proxy, resulting in credential leakage or unauthorized access. Exploitation does not appear to require privileged access to the client or server, and successful attacks would compromise confidentiality of proxy credentials and potentially lead to unauthorized data exfiltration.

Generated by OpenCVE AI on March 16, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update curl to the most recent release that contains the CVE‑2026‑3784 fix.
  • Until an update is available, avoid using shared proxy connections across different credentials or configure curl to force a new connection for each proxy request.
  • Verify that the HTTP proxy permissions and authentication mechanisms are correctly configured to reject duplicate or mismatched credentials.
  • Monitor outbound proxy traffic for unusual or repeated credential usage that may indicate misuse.

Generated by OpenCVE AI on March 16, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8084-1 curl vulnerabilities
Ubuntu USN Ubuntu USN USN-8099-1 curl vulnerabilities
History

Fri, 13 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Haxx
Haxx curl
CPEs cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Vendors & Products Haxx
Haxx curl

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl curl
Vendors & Products Curl
Curl curl

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-305
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 11:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
Description curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
Title wrong proxy connection reuse with credentials
References

Subscriptions

Curl Curl
Haxx Curl
cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published:

Updated: 2026-03-11T15:48:41.725Z

Reserved: 2026-03-08T05:09:52.279Z

Link: CVE-2026-3784

cve-icon Vulnrichment

Updated: 2026-03-11T10:16:32.844Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T11:16:00.437

Modified: 2026-03-12T14:09:50.470

Link: CVE-2026-3784

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-11T10:09:21Z

Links: CVE-2026-3784 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:24Z

Weaknesses