CVE-2026-9079

NameCVE-2026-9079
Descriptionlibcurl had a flaw that when instructed to clear proxy authentication credentials which made it not do so, leaving the old credentials around to get used for subsequent transfers that should not know nor use them.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
curl (PTS)bullseye7.74.0-1.3+deb11u13fixed
bullseye (security)7.74.0-1.3+deb11u16fixed
bookworm7.88.1-10+deb12u15fixed
bookworm (security)7.88.1-10+deb12u5fixed
trixie8.14.1-2+deb13u4vulnerable
forky8.20.0-5vulnerable
sid8.21.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
curlsourcebullseye(not affected)
curlsourcebookworm(not affected)
curlsource(unstable)8.21.0~rc2-1

Notes

[trixie] - curl <no-dsa> (Minor issue)
[bookworm] - curl <not-affected> (Vulnerable code not present)
[bullseye] - curl <not-affected> (Vulnerable code not present)
https://curl.se/docs/CVE-2026-9079.html
Introduced with: https://github.com/curl/curl/commit/d5e83eb745762f48d8fafadc5df5dd3ae8d8941e (curl-8_8_0)
Fixed by: https://github.com/curl/curl/commit/88c7e16cceec816a2df45c899d49b1e85513f193 (rc-8_21_0-1, curl-8_21_0)

Search for package or bug name: Reporting problems