Description
When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, libcurl could leak the password used for the first host to the
followed-to host under certain circumstances.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libcurl can unintentionally send credentials from a .netrc file to a host that follows an HTTP redirect, when the original request and the redirected request share the same HTTP proxy and the connection is reused. This flaw, classified as exposure of sensitive information (CWE‑201), allows an attacker to obtain user passwords transmitted in clear text HTTP, thereby exposing authentication credentials and enabling credential theft.

Affected Systems

The vulnerability affects libcurl and any applications that depend on it, such as the command‑line tool, when configured to use .netrc authentication and automatic HTTP redirects. All builds of libcurl that support .netrc usage and do not isolate proxy connections before the fix are potentially impacted; specific version numbers are not identified.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of <1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of exploitation. Based on the description, it is inferred that the attacker would need to control or observe the clear text HTTP proxy used by the victim for both the original and redirected requests; once the proxy traffic can be seen or manipulated, the leaked credentials can be captured. Although exploitation requires a precise proxy configuration, the potential for credential theft warrants swift remediation.

Generated by OpenCVE AI on May 14, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest libcurl release that contains the fix for the .netrc reuse issue.
  • Disable .netrc usage or enforce HTTPS for all redirects in the application configuration.
  • Prevent proxy reuse for redirects by setting libcurl options to create a new connection for each redirected request.

Generated by OpenCVE AI on May 14, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8227-1 curl vulnerabilities
History

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Haxx
Haxx curl
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Vendors & Products Haxx
Haxx curl

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 13 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. When configured to use a .netrc file for credentials and follow HTTP redirects, libcurl can inadvertently send the password from the initial connection to the redirected host. This sensitive information disclosure occurs when both the original and redirect URLs use clear text HTTP, are performed over the same HTTP proxy, and the same connection is reused. This vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), could allow an attacker to obtain user credentials. When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
Title curl: libcurl: Credential leak via reused proxy connection during HTTP redirects netrc credential leak with reused proxy connection
References

Fri, 01 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl libcurl
Vendors & Products Curl
Curl libcurl

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. When configured to use a .netrc file for credentials and follow HTTP redirects, libcurl can inadvertently send the password from the initial connection to the redirected host. This sensitive information disclosure occurs when both the original and redirect URLs use clear text HTTP, are performed over the same HTTP proxy, and the same connection is reused. This vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), could allow an attacker to obtain user credentials.
Title curl: libcurl: Credential leak via reused proxy connection during HTTP redirects
Weaknesses CWE-201
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate

Subscriptions

Curl Libcurl
Haxx Curl
cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published:

Updated: 2026-05-13T14:03:55.343Z

Reserved: 2026-04-16T14:48:02.991Z

Link: CVE-2026-6429

cve-icon Vulnrichment

Updated: 2026-05-13T14:03:47.972Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T13:01:56.930

Modified: 2026-05-14T14:18:02.240

Link: CVE-2026-6429

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-29T00:00:00Z

Links: CVE-2026-6429 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T15:30:16Z

Weaknesses