CVE-2026-11856
curl · curl
A handle reuse flaw in libcurl allows the improper transmission of Digest authentication headers to unauthorized origins when switching between HTTP hosts.
Executive summary
A high-severity authentication bypass vulnerability in libcurl could permit the accidental disclosure of sensitive credentials to unintended third-party servers.
Vulnerability
This is an authentication-related flaw (CWE-294) where libcurl fails to clear the Authorization header when reusing a handle for a new transfer to a different host. Attackers do not need prior authentication; the flaw is triggered by the application's handling of HTTP requests.
Business impact
Successful exploitation leads to the leakage of valid authentication headers to malicious servers, potentially resulting in unauthorized access to secure resources or account compromise. While the CVSS score is 7.5, the potential for credential exposure across automated systems presents a significant risk to organizational identity security.
Remediation
Immediate Action: Update to the latest version of curl/libcurl as soon as the vendor provides a patch; in the interim, avoid reusing handles across different HTTP origins.
Proactive Monitoring: Review outgoing traffic logs for unexpected Authorization headers being sent to unexpected or external hosts.
Compensating Controls: Implement strict egress filtering to prevent internal servers from sending sensitive authentication data to unauthorized or unknown external endpoints.
Exploitation status
Public Exploit Available: No (unknown)
Analyst recommendation
This vulnerability represents a critical risk to data confidentiality. Organizations should prioritize updating their curl dependencies immediately upon the release of a patched version to prevent potential credential theft via header leakage.