CVE-2026-12064
curl · curl
A mismatch between the curl tool and libcurl when using `--proto-default` with schemeless URLs can bypass critical SSH security option initializations.
Executive summary
A security initialization flaw in curl when using specific command-line arguments can lead to the bypass of critical SSH security options.
Vulnerability
The vulnerability (CWE-297) occurs when the curl command-line tool incorrectly infers the URL scheme, causing a failure to initialize CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 or similar security settings when --proto-default is used with sftp/scp.
Business impact
Exploitation of this flaw could allow for man-in-the-middle (MitM) attacks during SSH/SFTP transfers, as the application may fail to properly validate the host's identity. With a CVSS score of 7.5, this vulnerability represents a significant risk to automated data transfers and CI/CD pipelines that rely on curl for secure file movement.
Remediation
Immediate Action: Upgrade to the latest version of curl to ensure the tool correctly initializes SSH security options regardless of protocol defaults.
Proactive Monitoring: Review scripts and automation pipelines that utilize the --proto-default flag combined with SFTP or SCP to ensure they are not relying on insecure connection patterns.
Compensating Controls: Where possible, avoid using the --proto-default flag for automated SSH/SFTP tasks and explicitly define the full URL scheme to prevent the tool from misinterpreting the protocol.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
Security teams must audit automation scripts using curl to identify and remediate instances where --proto-default is utilized. Upgrading the curl binary is the primary defense, as this is a fundamental logic error within the tool's interaction layer.