CVE-2026-12064

curl · curl

A mismatch between the curl tool and libcurl when using `--proto-default` with schemeless URLs can bypass critical SSH security option initializations.

Executive summary

A security initialization flaw in curl when using specific command-line arguments can lead to the bypass of critical SSH security options.

Vulnerability

The vulnerability (CWE-297) occurs when the curl command-line tool incorrectly infers the URL scheme, causing a failure to initialize CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 or similar security settings when --proto-default is used with sftp/scp.

Business impact

Exploitation of this flaw could allow for man-in-the-middle (MitM) attacks during SSH/SFTP transfers, as the application may fail to properly validate the host's identity. With a CVSS score of 7.5, this vulnerability represents a significant risk to automated data transfers and CI/CD pipelines that rely on curl for secure file movement.

Remediation

Immediate Action: Upgrade to the latest version of curl to ensure the tool correctly initializes SSH security options regardless of protocol defaults.

Proactive Monitoring: Review scripts and automation pipelines that utilize the --proto-default flag combined with SFTP or SCP to ensure they are not relying on insecure connection patterns.

Compensating Controls: Where possible, avoid using the --proto-default flag for automated SSH/SFTP tasks and explicitly define the full URL scheme to prevent the tool from misinterpreting the protocol.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Security teams must audit automation scripts using curl to identify and remediate instances where --proto-default is utilized. Upgrading the curl binary is the primary defense, as this is a fundamental logic error within the tool's interaction layer.