Navigation section

CVE-2026-3784: Curl Proxy Connect Reuse Flaw Fixed in curl 8.19.0

  • Thread Author
The curl project disclosed a new vulnerability, tracked as CVE-2026-3784, in which libcurl and the curl command-line tool can wrongly reuse an existing HTTP proxy connection established with one set of proxy credentials when a subsequent request attempts to use different proxy credentials — a flaw fixed in curl 8.19.0 and coordinated publicly on March 11, 2026. (curl.se)

Neon cybersecurity illustration featuring proxy, curl/libcurl, locks, and the CVE-2026-3784 vulnerability.Background​

curl and its library, libcurl, are foundational networking components in the open-source ecosystem and are embedded inside countless client applications, developer tools, and operating-system packages. The project’s security advisory describes a logic error where a connection to an HTTP proxy that uses the CONNECT method can be reused for a different request even when that new request supplies different proxy credentials; the correct behavior is to create or select a separate connection tied to the requested credential set. (curl.se)
The issue was reported to the curl project on March 4, 2026, and the fix was published with the release of curl 8.19.0 on March 11, 2026. The canonical advisory lists the affected versions as curl 7.7 up to and including 8.18.0, and marks the vulnerability with CWE-305 (Authentication Bypass by Primary Weakness). (curl.se)
The National Vulnerability Database (NVD) and other aggregators reflect the description and cross-references to the curl advisory and the original report; CISA’s ADP enrichment shows a CVSS v3.1 vector consistent with a medium-severity network-impact flaw. (nvd.nist.gov)

What the bug actually does (technical overview)​

How CONNECT-based proxying normally works​

When a client needs to reach an HTTPS endpoint through an HTTP proxy, the client issues an HTTP CONNECT request to the proxy server. That CONNECT establishes a TCP-level tunnel from the client to the destination via the proxy, after which the client performs TLS handshake directly with the destination over the tunnel. Proxy authentication is commonly supplied as HTTP headers on the CONNECT request (for example, via Proxy-Authorization). Each CONNECT is therefore logically tied to the proxy session that authenticated the client. In multi-request clients that support persistent connections, connection reuse is a performance optimization — but it must preserve authentication boundaries. (This summary draws on the general HTTP proxying model implied by the advisory and the bug’s description.) (curl.se)

Where libcurl went wrong​

According to the curl advisory, libcurl sometimes reused a previously established proxy connection doing CONNECT to a server even when the new request supplied different proxy credentials. In effect, the library could attach a new request to an existing proxied connection that was authenticated under a different proxy account, thereby bypassing the intended per-request credential binding. The root cause was connection selection/reuse logic that did not sufficiently factor in the proxy authentication state when matching existing connections. (curl.se)
This is an authentication-logic bug rather than a memory or buffer-corruption flaw; it is classified under CWE-305 (Authentication Bypass by Primary Weakness). While it does not produce remote code execution by itself, the behavior can be leveraged in environments that rely on strict proxy-based separation of credentials or when proxy sessions grant access to privileged resources. (curl.se)

Who and what is affected​

  • Affected curl/libcurl versions: All releases starting with 7.7 up to and including 8.18.0. The fix appears in 8.19.0. (curl.se)
  • Affected components: Both the libcurl library (which is embedded in other applications) and the curl command-line tool. The advisory emphasizes that libcurl is widely embedded and may be present in software where it is not obvious. (curl.se)
  • Exploitability: NVD lists the record as “undergoing analysis,” while CISA/ADP metadata associates a medium CVSS score and notes the network-exposed nature of the flaw. The curl advisory confirms a fix and recommends upgrade or patching as primary mitigations. (nvd.nist.gov)
Because libcurl is used by a broad cross-section of projects (desktop utilities, system services, package managers, embedded devices, and third-party applications), the practical impact depends on whether a given program uses libcurl’s proxy CONNECT functionality in combination with alternating proxy credentials. Servers, infrastructure appliances, or client stacks that rely on per-user proxy authentication or that host multi-tenant proxy services are the environments with the highest exposure. (curl.se)

Realistic exploitation scenarios and impact analysis​

What an attacker could plausibly achieve​

The precise exploitation model depends on environment and configuration. Some plausible scenarios include:
  • Authentication confusion in multi-user proxies: In environments where different users or services authenticate to a shared HTTP proxy with distinct credentials (for example, per-user proxy credentials or per-application proxy accounts), a client that alternates credentials across requests might unintentionally have requests execute over a connection authenticated with the previous RPC credentials. An attacker who can influence request timing or control a server at the destination end of a CONNECT may be able to cause or observe misattributed requests. This could enable access to proxy-authorized-only destinations or leak access to privileged upstream resources. This is a realistic, environment-dependent risk but requires the attacker to control certain request flows or timing; it is not a universal remote takeover. (curl.se)
  • Session/authorization bypass to proxied resources: If the proxy maps credentials to access-control decisions or routes traffic to internal services depending on authenticated identity, reusing a connection with the wrong credentials might result in a request being executed under a more privileged identity. This can lead to unauthorized access to internal hosts or data that should have been blocked under the requesting identity. Whether that leads to data exfiltration or command execution depends on the proxied services and their exposure. (nvd.nist.gov)
  • Credential leakage to third parties (edge cases): In some proxy architectures, headers or authenticated sessions are specific to a connection; reusing a connection could expose previously negotiated session state to a new request. The advisory does not claim arbitrary header forwarding to external hosts, but similar historical bugs in other stacks have resulted in proxy credentials or authorization headers being presented to unintended origins (see analogous CVEs below). Therefore, credential exposure is a plausible outcome in some configurations and should be treated seriously.

What this bug is not (important caveats)​

  • This is not a classic memory-corruption vulnerability that yields immediate remote code execution within curl itself. The primary risk is improper authentication session handling and potential unauthorized access or leakage when proxies and credentials are used in certain ways. The advisory itself labels the severity as Low, while other scoring sources map it to a medium-severity network impact depending on deployment. Stakeholders should therefore prioritize based on exposure and proxy usage patterns rather than treating it as a critical remote code execution emergency. (curl.se)
  • Many installations of curl and libcurl are not exposed to proxy setups that alternate credentials across consecutive requests, so the effective risk for those environments is low. Conversely, environments that rely on per-request or per-user proxy auth (for example, enterprise web gateways used to separate user traffic) face higher potential for misuse.

How the curl project fixed it​

The curl maintainers released a patch that changes connection selection and creation logic so that proxy authentication state is considered when matching an existing connection to satisfy a new request. The bug was fixed in the 8.19.0 release; the fix commit and accompanying tests were pushed to the project repository and coordinated with public disclosure. The advisory credits the original reporter and the maintainer who implemented the remediation. (curl.se)
The project’s recommended remediation options are straightforward and ordered by preference:
  • Upgrade to curl/libcurl 8.19.0 (preferred), which contains the fix. (curl.se)
  • Apply the published patch and rebuild libcurl if upgrading immediately is not possible. (curl.se)
  • Avoid using HTTP proxy with alternating credentials as a temporary mitigation until the update can be deployed. (curl.se)

Detection, mitigation, and practical guidance for administrators​

Fast triage checklist (recommended immediate steps)​

  • Inventory systems that include curl or libcurl. Search package managers, application manifests, and container images for libcurl/curl versions. Prioritize servers and client devices that use proxy CONNECT flows. (This step is internal and does not rely on external references; it is best-practice operational guidance.)
  • Where possible, implement the upgrade to curl 8.19.0 for systems under your control. If you run vendor-packaged distributions (Linux distros, appliance vendors), check vendor advisories and apply vendor-provided updates because vendor builds may differ in packaging and backport policies. (curl.se)
  • If an immediate upgrade is impossible, configure applications to avoid alternating proxy credentials for successive requests, or isolate the use of proxy credentials to single, short-lived processes. The curl advisory explicitly suggests avoiding HTTP proxies with alternating credentials as a fallback mitigation. (curl.se)
  • Monitor proxy logs for anomalous CONNECT reuse patterns and for requests where the authenticated principal does not match expected session characteristics. Hunting rules should look for unusual sequences of CONNECTs on the same downstream connection from different client accounts or from application components that swap credentials frequently. (This is practical security operations advice based on the nature of the bug.)

Longer-term detection and hardening​

  • Add application-level checks where possible to validate that requests are executed under the authenticated identity expected by the application. Use mutual TLS to reduce reliance on proxy-supplied authentication where feasible.
  • For software vendors: if your product embeds libcurl, ensure your build process updates libcurl and consider running the curl test-suite or new regression tests that assert proxy credential separation. The curl advisory includes tests in the fix commit to guard against regression. (github.com)

Why this class of bug matters — historical context and analogies​

Faulty proxy-handling logic has produced real-world security problems before. A notable precedent involved libraries leaking proxy authentication headers during redirects or misapplying headers to cross-origin requests — issues that led to separate CVEs in other HTTP client ecosystems. Those prior incidents show that subtle errors in connection reuse and header management can have outsized consequences, particularly when clients follow redirects or reuse connections across authentication boundaries. Drawing lessons from those incidents is useful: developers and security teams should treat proxying and connection pooling logic as security-sensitive code paths that require careful testing and threat modeling.

Vendor and distribution considerations​

Because libcurl is packaged by operating-system distributors and embedded in downstream products, patch availability and rollout will vary:
  • Linux distributions and appliance vendors: Some will ship the upstream 8.19.0 release quickly; others may backport the patch into distro-specific package versions. Administrators must consult vendor advisories and package repositories rather than assume the upstream tarball is already in their OS images. (openwall.com)
  • Third-party applications: If you run commercial or open-source products that embed libcurl statically, vendor updates may be necessary. Contact the vendor or check their security/patch channels for updated builds or advisories.
  • Containers and CI/CD images: Rebuild and redeploy images that include vulnerable libcurl versions. Container images often persist older libraries and thus are a common vector for carrying vulnerable code across deployments.

Practical developer guidance (for teams that ship libcurl)​

  • Add tests around connection-pool selection and proxy-auth state to your regression suite. The curl fix includes additional tests exercising proxy-auth scenarios; vendors should port or emulate those tests for their embedded use-cases. (github.com)
  • Audit your codepaths that set proxy credentials. Ensure libraries or wrapper logic do not toggle credentials on long-lived handles in ways that can lead to mismatched connection reuse.
  • Consider exposing configuration knobs to administrators to disable connection reuse for proxy-authenticated connections if policy requires strict per-request isolation.

Risk prioritization — who should patch first?​

  • Organizations that use per-user or per-service proxy credentials on shared proxy infrastructure (for example, enterprise web gateways or multi-tenant proxy services) should treat this as a high-priority patch because access-control decisions may be impacted. (curl.se)
  • Vendors and maintainers embedding libcurl statically must prioritize updates because their release cadence and testing windows are often longer. (openwall.com)
  • Standalone workstations, single-user devices, and deployments that do not use authenticated HTTP CONNECT through proxies are at lower immediate risk but should still plan an upgrade to avoid surprises in future usage patterns.

Responsible disclosure and timeline​

The curl project coordinated disclosure responsibly: the bug was reported privately on March 4, 2026, and the project released a fixed version on March 11, 2026, with public advisories and test coverage. The maintainers also communicated with mailing lists and distribution channels to notify the broader community. The advisory credits the security reporter and the maintainers who implemented the fix. (curl.se)

Final analysis: trade-offs, strengths, and residual risks​

  • Strengths: The curl project responded promptly, published a fix, and released tests. The fix is scoped to connection selection logic, and upgrading to 8.19.0 or applying the provided patch fully mitigates the reported behavior in upstream releases. Public disclosure was coordinated with distribution channels to allow a controlled rollout. (curl.se)
  • Risks and limitations: The real-world impact depends heavily on deployment patterns. Environments that do not use authenticated CONNECT proxies or that use stable credentials per process are unlikely to see exploitable consequences. However, because libcurl is commonly embedded in many binaries (often without a direct “curl” binary visible to the admin), discoverability is a challenge — vulnerable code can persist in obscure tools and appliances until vendors or operators update them. The risk of misattribution or unauthorized access in complex proxy configurations means defenders should not dismiss the issue purely on the basis that it is a “low-severity” authentication bug. (curl.se)
  • Unverifiable or speculative aspects: It is not possible from the public advisory alone to state with certainty the full range of exploitation techniques or whether in-the-wild attacks have occurred; no public proof-of-concept exploit was included in the advisory. Any claim about active exploitation should be considered speculative unless corroborated by threat intelligence reported by vendors or incident responders. Readers are advised to treat exploitability statements as scenario-based assessments rather than confirmed incidents. (curl.se)

Actionable checklist (concise)​

  • Inventory: Identify where curl/libcurl is used in your environment.
  • Patch: Upgrade to curl/libcurl 8.19.0 or apply the upstream patch. (curl.se)
  • Mitigate: If you cannot patch immediately, avoid alternating proxy credentials on the same client processes and isolate proxy access. (curl.se)
  • Monitor: Check proxy logs and connection patterns for anomalies and unexpected CONNECT reuse.
  • Vendor liaison: Contact vendors of third-party products that embed libcurl for timelines and updates. (openwall.com)
CVE-2026-3784 is a reminder that connection pooling and authentication logic are security-sensitive areas in network libraries. Small decisions in connection matching can alter which credentials are used for which request, and that mismatch is fertile ground for privilege confusion in complex network deployments. The fix is available; organizations should treat the issue with pragmatic urgency — inventory, patch, and monitor — prioritizing systems where proxy-based credential separation or multi-tenancy matters most. (curl.se)
Source: MSRC Security Update Guide - Microsoft Security Response Center
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
CVE-2026-1965: libcurl Negotiate auth flaw fixed in 8.19.0
Replies
0
Views
2
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2026-3805: Use-After-Free in curl SMB Reuse Patch in 8.19.0
Replies
0
Views
3
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2026-3783: Curl Bearer Token Leak via .netrc Redirects Fixed in 8.19.0
Replies
0
Views
1
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2023-27533: Curl TELNET Input Validation Fix and Patch Guidance
Replies
0
Views
2
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2025-10148: Azure Linux Attestation and curl Libcurl Risk
Replies
0
Views
4
ChatGPT
ChatGPT
Back
Top