CVE-2026-6253 - Vulnerability Details

- proxy credentials leak over redirect-to proxy

Description

curl might erroneously pass on credentials for a first proxy to a second
proxy.

This can happen when the following conditions are true:

1. curl is setup to use specific different proxies for different URL schemes
2. the first proxy needs credentials
3. the second proxy uses no credentials
4. while using the first proxy (using say `http://`), curl is asked to follow
a redirect to a URL using another scheme (say `https://`), accessed using a
second, different, proxy

Published: 2026-05-13

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability afflicts cURL, the popular command‑line tool and library for handling network requests. When cURL is configured to use distinct proxy servers for different URL schemes, a redirection that moves from a URL accessed through an authenticated proxy to a URL that uses an unauthenticated proxy can inadvertently leak the credentials of the original authenticated proxy. The CNA lists this weakness as both CWE‑201, a credential disclosure vulnerability, and CWE‑522, which highlights improper handling or storage of credentials. An attacker who can observe or influence the traffic generated by a configured curl instance could capture these credentials and use them to gain unauthorized network access or to learn sensitive configuration details.

Affected Systems

This flaw impacts all cURL installations—the command‑line tool and the libcurl library—regardless of platform, because no specific version numbers were supplied by the CNA. Given the absence of a version range, any release that still follows the legacy proxy handling model is potentially affected, until the issue is fixed in a newer version.

Risk and Exploitability

With a CVSS score of 5.9 the flaw is moderate in severity. The EPSS score is < 1% (0.00043) and the vulnerability is not listed in the CISA KEV catalog, indicating that broad exploitation is unlikely at present. The attack requires a curl configuration that uses separate proxies for different URL schemes and a subsequent redirect that changes the proxy context. Based on the description, the attacker must either monitor traffic to the curl instance or actively influence the redirect to capture the leaked credentials—a relatively constrained ad‑hoc scenario.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

curl

unaffected

Version	Status	Constraints
`8.19.0`	affected	≤ 8.19.0
`8.18.0`	affected	≤ 8.18.0
`8.17.0`	affected	≤ 8.17.0
`8.16.0`	affected	≤ 8.16.0
`8.15.0`	affected	≤ 8.15.0
`8.14.1`	affected	≤ 8.14.1
`8.14.0`	affected	≤ 8.14.0
`8.13.0`	affected	≤ 8.13.0
`8.12.1`	affected	≤ 8.12.1
`8.12.0`	affected	≤ 8.12.0
`8.11.1`	affected	≤ 8.11.1
`8.11.0`	affected	≤ 8.11.0
`8.10.1`	affected	≤ 8.10.1
`8.10.0`	affected	≤ 8.10.0
`8.9.1`	affected	≤ 8.9.1
`8.9.0`	affected	≤ 8.9.0
`8.8.0`	affected	≤ 8.8.0
`8.7.1`	affected	≤ 8.7.1
`8.7.0`	affected	≤ 8.7.0
`8.6.0`	affected	≤ 8.6.0
`8.5.0`	affected	≤ 8.5.0
`8.4.0`	affected	≤ 8.4.0
`8.3.0`	affected	≤ 8.3.0
`8.2.1`	affected	≤ 8.2.1
`8.2.0`	affected	≤ 8.2.0
`8.1.2`	affected	≤ 8.1.2
`8.1.1`	affected	≤ 8.1.1
`8.1.0`	affected	≤ 8.1.0
`8.0.1`	affected	≤ 8.0.1
`8.0.0`	affected	≤ 8.0.0
`7.88.1`	affected	≤ 7.88.1
`7.88.0`	affected	≤ 7.88.0
`7.87.0`	affected	≤ 7.87.0
`7.86.0`	affected	≤ 7.86.0
`7.85.0`	affected	≤ 7.85.0
`7.84.0`	affected	≤ 7.84.0
`7.83.1`	affected	≤ 7.83.1
`7.83.0`	affected	≤ 7.83.0
`7.82.0`	affected	≤ 7.82.0
`7.81.0`	affected	≤ 7.81.0
`7.80.0`	affected	≤ 7.80.0
`7.79.1`	affected	≤ 7.79.1
`7.79.0`	affected	≤ 7.79.0
`7.78.0`	affected	≤ 7.78.0
`7.77.0`	affected	≤ 7.77.0
`7.76.1`	affected	≤ 7.76.1
`7.76.0`	affected	≤ 7.76.0
`7.75.0`	affected	≤ 7.75.0
`7.74.0`	affected	≤ 7.74.0
`7.73.0`	affected	≤ 7.73.0
`7.72.0`	affected	≤ 7.72.0
`7.71.1`	affected	≤ 7.71.1
`7.71.0`	affected	≤ 7.71.0
`7.70.0`	affected	≤ 7.70.0
`7.69.1`	affected	≤ 7.69.1
`7.69.0`	affected	≤ 7.69.0
`7.68.0`	affected	≤ 7.68.0
`7.67.0`	affected	≤ 7.67.0
`7.66.0`	affected	≤ 7.66.0
`7.65.3`	affected	≤ 7.65.3
`7.65.2`	affected	≤ 7.65.2
`7.65.1`	affected	≤ 7.65.1
`7.65.0`	affected	≤ 7.65.0
`7.64.1`	affected	≤ 7.64.1
`7.64.0`	affected	≤ 7.64.0
`7.63.0`	affected	≤ 7.63.0
`7.62.0`	affected	≤ 7.62.0
`7.61.1`	affected	≤ 7.61.1
`7.61.0`	affected	≤ 7.61.0
`7.60.0`	affected	≤ 7.60.0
`7.59.0`	affected	≤ 7.59.0
`7.58.0`	affected	≤ 7.58.0
`7.57.0`	affected	≤ 7.57.0
`7.56.1`	affected	≤ 7.56.1
`7.56.0`	affected	≤ 7.56.0
`7.55.1`	affected	≤ 7.55.1
`7.55.0`	affected	≤ 7.55.0
`7.54.1`	affected	≤ 7.54.1
`7.54.0`	affected	≤ 7.54.0
`7.53.1`	affected	≤ 7.53.1
`7.53.0`	affected	≤ 7.53.0
`7.52.1`	affected	≤ 7.52.1
`7.52.0`	affected	≤ 7.52.0
`7.51.0`	affected	≤ 7.51.0
`7.50.3`	affected	≤ 7.50.3
`7.50.2`	affected	≤ 7.50.2
`7.50.1`	affected	≤ 7.50.1
`7.50.0`	affected	≤ 7.50.0
`7.49.1`	affected	≤ 7.49.1
`7.49.0`	affected	≤ 7.49.0
`7.48.0`	affected	≤ 7.48.0
`7.47.1`	affected	≤ 7.47.1
`7.47.0`	affected	≤ 7.47.0
`7.46.0`	affected	≤ 7.46.0
`7.45.0`	affected	≤ 7.45.0
`7.44.0`	affected	≤ 7.44.0
`7.43.0`	affected	≤ 7.43.0
`7.42.1`	affected	≤ 7.42.1
`7.42.0`	affected	≤ 7.42.0
`7.41.0`	affected	≤ 7.41.0
`7.40.0`	affected	≤ 7.40.0
`7.39.0`	affected	≤ 7.39.0
`7.38.0`	affected	≤ 7.38.0
`7.37.1`	affected	≤ 7.37.1
`7.37.0`	affected	≤ 7.37.0
`7.36.0`	affected	≤ 7.36.0
`7.35.0`	affected	≤ 7.35.0
`7.34.0`	affected	≤ 7.34.0
`7.33.0`	affected	≤ 7.33.0
`7.32.0`	affected	≤ 7.32.0
`7.31.0`	affected	≤ 7.31.0
`7.30.0`	affected	≤ 7.30.0
`7.29.0`	affected	≤ 7.29.0
`7.28.1`	affected	≤ 7.28.1
`7.28.0`	affected	≤ 7.28.0
`7.27.0`	affected	≤ 7.27.0
`7.26.0`	affected	≤ 7.26.0
`7.25.0`	affected	≤ 7.25.0
`7.24.0`	affected	≤ 7.24.0
`7.23.1`	affected	≤ 7.23.1
`7.23.0`	affected	≤ 7.23.0
`7.22.0`	affected	≤ 7.22.0
`7.21.7`	affected	≤ 7.21.7
`7.21.6`	affected	≤ 7.21.6
`7.21.5`	affected	≤ 7.21.5
`7.21.4`	affected	≤ 7.21.4
`7.21.3`	affected	≤ 7.21.3
`7.21.2`	affected	≤ 7.21.2
`7.21.1`	affected	≤ 7.21.1
`7.21.0`	affected	≤ 7.21.0
`7.20.1`	affected	≤ 7.20.1
`7.20.0`	affected	≤ 7.20.0
`7.19.7`	affected	≤ 7.19.7
`7.19.6`	affected	≤ 7.19.6
`7.19.5`	affected	≤ 7.19.5
`7.19.4`	affected	≤ 7.19.4
`7.19.3`	affected	≤ 7.19.3
`7.19.2`	affected	≤ 7.19.2
`7.19.1`	affected	≤ 7.19.1
`7.19.0`	affected	≤ 7.19.0
`7.18.2`	affected	≤ 7.18.2
`7.18.1`	affected	≤ 7.18.1
`7.18.0`	affected	≤ 7.18.0
`7.17.1`	affected	≤ 7.17.1
`7.17.0`	affected	≤ 7.17.0
`7.16.4`	affected	≤ 7.16.4
`7.16.3`	affected	≤ 7.16.3
`7.16.2`	affected	≤ 7.16.2
`7.16.1`	affected	≤ 7.16.1
`7.16.0`	affected	≤ 7.16.0
`7.15.5`	affected	≤ 7.15.5
`7.15.4`	affected	≤ 7.15.4
`7.15.3`	affected	≤ 7.15.3
`7.15.2`	affected	≤ 7.15.2
`7.15.1`	affected	≤ 7.15.1
`7.15.0`	affected	≤ 7.15.0
`7.14.1`	affected	≤ 7.14.1

Configuration 1 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Curl

80%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade cURL to the latest release that contains the credential‑redirection fix
Reconfigure cURL to employ a single proxy for all URL schemes or disable automatic redirects when the proxy setting changes
Enforce strict proxy authentication checks on the server side to reject any credentials forwarded to unauthenticated endpoints
Monitor outbound traffic for unexpected proxy headers or unauthorized redirects, and audit logs for credential leakage

Generated by OpenCVE AI on May 14, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8227-1	curl vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/29/11
https://curl.se/docs/CVE-2026-6253.html
https://curl.se/docs/CVE-2026-6253.json
https://hackerone.com/reports/3669637
https://nvd.nist.gov/vuln/detail/CVE-2026-6253
https://www.cve.org/CVERecord?id=CVE-2026-6253

History

Thu, 14 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Haxx Haxx curl
Weaknesses		CWE-522
CPEs		cpe:2.3:a:haxx:curl::::::::
Vendors & Products		Haxx Haxx curl

Wed, 13 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Wed, 13 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/29/11

Wed, 13 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in curl. When curl is configured to use distinct proxies for different URL schemes, a redirect from a URL using an authenticated proxy to one using an unauthenticated proxy can inadvertently expose the initial proxy's credentials. This improper credential management (CWE-522) may allow an attacker to gain unauthorized access or information by intercepting these disclosed credentials.	curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy
Title	curl: curl: Proxy credential disclosure via redirects to unauthenticated proxies	proxy credentials leak over redirect-to proxy
References		https://curl.se/docs/CVE-2026-6253.json https://hackerone.com/reports/3669637

Fri, 01 May 2026 01:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Curl Curl curl
Vendors & Products		Curl Curl curl

Fri, 01 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in curl. When curl is configured to use distinct proxies for different URL schemes, a redirect from a URL using an authenticated proxy to one using an unauthenticated proxy can inadvertently expose the initial proxy's credentials. This improper credential management (CWE-522) may allow an attacker to gain unauthorized access or information by intercepting these disclosed credentials.
Title		curl: curl: Proxy credential disclosure via redirects to unauthenticated proxies
Weaknesses		CWE-201
References		https://curl.se/docs/CVE-2026-6253.html https://nvd.nist.gov/vuln/detail/CVE-2026-6253 https://www.cve.org/CVERecord?id=CVE-2026-6253
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}` threat_severity `Moderate`

Subscriptions

Curl Curl

Haxx Curl

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2026-05-13T08:28:03.004Z

Updated: 2026-05-13T17:42:40.102Z

Reserved: 2026-04-13T20:11:11.991Z

Link: CVE-2026-6253

Vulnrichment

Updated: 2026-05-13T09:05:31.000Z

NVD

Status : Analyzed

Published: 2026-05-13T13:01:56.570

Modified: 2026-05-14T13:40:53.190

Link: CVE-2026-6253

Redhat

Severity : Moderate

Publid Date: 2026-04-29T00:00:00Z

Links: CVE-2026-6253 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-14T15:15:23Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object