Description
A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. This can lead to libcurl incorrectly sending cookies intended for the first host to the second host, resulting in a cookie leak. This issue is categorized as an Origin Validation Error (CWE-346). Exploitation typically requires specific debugging configurations.
Published: n/a
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in libcurl allows an attacker to gain access to cookies that belong to one host when a second host is contacted on the same reused TCP connection. The bug occurs when the first request supplies a custom Host header and subsequent requests on the same connection omit a Host header, causing libcurl to send the original host's cookies to the new host. This is an Origin Validation Error (CWE‑346) and can expose session data and other cookie‑based secrets.

Affected Systems

Libcurl, the networking library used in many software products such as cURL, client tools, and embedded systems. No specific version information is available in the advisory, so any libcurl installation that has not applied a fix may be vulnerable.

Risk and Exploitability

The CVSS score is 3.7, indicating low overall severity. The EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, implying limited commercial exploitation data. Exploitation generally requires debugging configurations to be present, making the attack vector somewhat constrained. However, the leak could still occur under normal use if connection reuse and custom Host headers are employed.

Generated by OpenCVE AI on May 1, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest libcurl update that fixes CVE-2026-6276.
  • If no patch is available, configure libcurl to disable HTTP connection reuse or enforce a Host header on every request to avoid reusing connections with mismatched hosts.
  • Disable or remove debugging configurations that could aid an attacker in identifying or exploiting the weakness.

Generated by OpenCVE AI on May 1, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl libcurl
Vendors & Products Curl
Curl libcurl

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. This can lead to libcurl incorrectly sending cookies intended for the first host to the second host, resulting in a cookie leak. This issue is categorized as an Origin Validation Error (CWE-346). Exploitation typically requires specific debugging configurations.
Title curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low

Subscriptions

Curl Libcurl
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-29T00:00:00Z

Links: CVE-2026-6276 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T22:45:26Z

Weaknesses