CVE-2026-3783

EUVD-2026-11138
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a redirect to a second URL, curl could leak that token to the second
hostname under some circumstances.

If the hostname that the first request is redirected to has information in the
used .netrc file, with either of the `machine` or `default` keywords, curl
would pass on the bearer token set for the first host also to the second one.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
haxxcurl
7.33.0 ≤
𝑥
< 8.19.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
8.19.0-1
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
bionic
not-affected
focal
needed
jammy
Fixed 7.81.0-1ubuntu1.23
released
noble
Fixed 8.5.0-2ubuntu10.8
released
questing
Fixed 8.14.1-2ubuntu1.2
released
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://curl.se/docs/CVE-2026-3783.html
https://curl.se/docs/CVE-2026-3783.json
https://hackerone.com/reports/3583983
http://www.openwall.com/lists/oss-security/2026/03/11/2