Description
libcurl might in some circumstances reuse the wrong connection when asked to
do Negotiate-authenticated ones, even when they are set to use different
'services'.

libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical
error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different services.
Published: 2026-07-03
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logical error in libcurl causes an application to reuse an existing connection that was authenticated with one service when it should use a different service. The reused connection may thus grant the attacker access to resources belonging to a different authentication domain, effectively bypassing intended access controls. This flaw represents an Improper Authentication weakness that can lead to unauthorized data access and privilege escalation.

Affected Systems

The vulnerability affects the libcurl library (curl:curl). No specific versions are listed in the data, so all installations using this library—particularly those configured to use Negotiate authentication—are potentially impacted.

Risk and Exploitability

Explicit severity metrics are not supplied; the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. The attack likely requires the attacker to influence the application’s reuse behavior or to trigger the logical error during a request. Based on the description, the risk can be considered moderate to high, but the exact exploitation probability cannot be quantified without further data.

Generated by OpenCVE AI on July 3, 2026 at 09:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest libcurl release that includes the official fix for CVE-2026-8458
  • If an immediate upgrade is not possible, reconfigure the application to disable connection pooling for Negotiate-authenticated requests
  • Ensure that each connection reusing logic verifies that the authentication service matches the intended target before reuse

Generated by OpenCVE AI on July 3, 2026 at 09:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8487-1 curl vulnerabilities
History

Fri, 03 Jul 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl curl
Vendors & Products Curl
Curl curl

Fri, 03 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description libcurl might in some circumstances reuse the wrong connection when asked to do Negotiate-authenticated ones, even when they are set to use different 'services'. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different services.
Title wrong reuse for different services
References

cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published:

Updated: 2026-07-03T06:14:42.258Z

Reserved: 2026-05-13T08:33:36.632Z

Link: CVE-2026-8458

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T09:45:05Z

Weaknesses

No weakness.