Description
Using libcurl, when a custom `Host:` header is first set for an HTTP request
and a second request is subsequently done using the same *easy handle* but
without the custom `Host:` header set, the second request would use stale
information and pass on cookies meant for the first host in the second
request. Leak them.
Published: 2026-05-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in libcurl’s handling of custom Host headers allows a cookie associated with one domain to be sent to a second domain if the same easy handle is reused and the custom Host header is omitted on the second request. The flaw results from stale header state being carried over, causing libcurl to transmit the original host’s cookies to the new host, thereby exposing session identifiers and other cookie‑based secrets. This breach is classified as a cookie leakage vulnerability (CWE‑346) and involves cleartext transmission of sensitive information due to insecure handling of host headers (CWE‑319).

Affected Systems

The vulnerability affects applications that embed or link against the libcurl library, including the command‑line curl client and other software that uses libcurl for HTTP requests. Any installation of libcurl that has not applied the documented fix for CVE‑2026‑6276 is potentially vulnerable; no specific product or version constraints are listed by the CNA.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of less than 1 % and the absence from the CISA KEV catalog suggest low likelihood of widespread exploitation. However, the attack can be performed in normal usage when an application reuses connections with differing Host headers, so confirmation of usage patterns and code paths is warranted. Based on the description, it is inferred that the attacker must control the application’s request flow to set and then omit a custom Host header within the same easy handle, implying local code or a privileged exploit is required, but the impact remains significant if achieved.

Generated by OpenCVE AI on May 14, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libcurl to the latest version that includes the CVE‑2026‑6276 fix.
  • If a patch is unavailable, modify application logic to set the Host header on every request or disable connection reuse by setting CURLOPT_FORBID_REUSE to 1.
  • Audit all modules that use libcurl to ensure no custom Host header is set on one request and omitted on a subsequent request over the same easy handle, and adjust the code accordingly.

Generated by OpenCVE AI on May 14, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8227-1 curl vulnerabilities
History

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Haxx
Haxx curl
Weaknesses CWE-319
CPEs cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Vendors & Products Haxx
Haxx curl

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. This can lead to libcurl incorrectly sending cookies intended for the first host to the second host, resulting in a cookie leak. This issue is categorized as an Origin Validation Error (CWE-346). Exploitation typically requires specific debugging configurations. Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.
Title curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers stale custom cookie host causes cookie leak
References

Fri, 01 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl libcurl
Vendors & Products Curl
Curl libcurl

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. This can lead to libcurl incorrectly sending cookies intended for the first host to the second host, resulting in a cookie leak. This issue is categorized as an Origin Validation Error (CWE-346). Exploitation typically requires specific debugging configurations.
Title curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low

Subscriptions

Curl Libcurl
Haxx Curl
cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published:

Updated: 2026-05-13T17:26:06.894Z

Reserved: 2026-04-14T14:01:54.772Z

Link: CVE-2026-6276

cve-icon Vulnrichment

Updated: 2026-05-13T09:05:37.539Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T13:01:56.800

Modified: 2026-05-14T14:21:06.997

Link: CVE-2026-6276

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-29T00:00:00Z

Links: CVE-2026-6276 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:30:16Z

Weaknesses