CVE-2026-5773

EUVD-2026-29924

13.05.2026, 13:01

libcurl might in some circumstances reuse the wrong connection for SMB(S)
transfers.

libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical
error in the code, a network transfer operation that was requested by an
application could wrongfully reuse an existing SMB connection to the same
server that was using a different 'share' than the new subsequent transfer
should.

This could in unlucky situations lead to the download of the wrong file or the
upload of a file to the wrong place. When this happens, the same credentials
are used and the server name is the same.

SSRF

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
curl	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
haxx	curl	7.40.0 ≤ 𝑥 < 8.20.0

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
curl	curl	𝑥 ≤ 8.19.0	CNA
curl	curl	𝑥 ≤ 8.18.0	CNA
curl	curl	𝑥 ≤ 8.17.0	CNA
curl	curl	𝑥 ≤ 8.16.0	CNA
curl	curl	𝑥 ≤ 8.15.0	CNA
curl	curl	𝑥 ≤ 8.14.1	CNA
curl	curl	𝑥 ≤ 8.14.0	CNA
curl	curl	𝑥 ≤ 8.13.0	CNA
curl	curl	𝑥 ≤ 8.12.1	CNA
curl	curl	𝑥 ≤ 8.12.0	CNA
curl	curl	𝑥 ≤ 8.11.1	CNA
curl	curl	𝑥 ≤ 8.11.0	CNA
curl	curl	𝑥 ≤ 8.10.1	CNA
curl	curl	𝑥 ≤ 8.10.0	CNA
curl	curl	𝑥 ≤ 8.9.1	CNA
curl	curl	𝑥 ≤ 8.9.0	CNA
curl	curl	𝑥 ≤ 8.8.0	CNA
curl	curl	𝑥 ≤ 8.7.1	CNA
curl	curl	𝑥 ≤ 8.7.0	CNA
curl	curl	𝑥 ≤ 8.6.0	CNA
curl	curl	𝑥 ≤ 8.5.0	CNA
curl	curl	𝑥 ≤ 8.4.0	CNA
curl	curl	𝑥 ≤ 8.3.0	CNA
curl	curl	𝑥 ≤ 8.2.1	CNA
curl	curl	𝑥 ≤ 8.2.0	CNA
curl	curl	𝑥 ≤ 8.1.2	CNA
curl	curl	𝑥 ≤ 8.1.1	CNA
curl	curl	𝑥 ≤ 8.1.0	CNA
curl	curl	𝑥 ≤ 8.0.1	CNA
curl	curl	𝑥 ≤ 8.0.0	CNA
curl	curl	𝑥 ≤ 7.88.1	CNA
curl	curl	𝑥 ≤ 7.88.0	CNA
curl	curl	𝑥 ≤ 7.87.0	CNA
curl	curl	𝑥 ≤ 7.86.0	CNA
curl	curl	𝑥 ≤ 7.85.0	CNA
curl	curl	𝑥 ≤ 7.84.0	CNA
curl	curl	𝑥 ≤ 7.83.1	CNA
curl	curl	𝑥 ≤ 7.83.0	CNA
curl	curl	𝑥 ≤ 7.82.0	CNA
curl	curl	𝑥 ≤ 7.81.0	CNA
curl	curl	𝑥 ≤ 7.80.0	CNA
curl	curl	𝑥 ≤ 7.79.1	CNA
curl	curl	𝑥 ≤ 7.79.0	CNA
curl	curl	𝑥 ≤ 7.78.0	CNA
curl	curl	𝑥 ≤ 7.77.0	CNA
curl	curl	𝑥 ≤ 7.76.1	CNA
curl	curl	𝑥 ≤ 7.76.0	CNA
curl	curl	𝑥 ≤ 7.75.0	CNA
curl	curl	𝑥 ≤ 7.74.0	CNA
curl	curl	𝑥 ≤ 7.73.0	CNA
curl	curl	𝑥 ≤ 7.72.0	CNA
curl	curl	𝑥 ≤ 7.71.1	CNA
curl	curl	𝑥 ≤ 7.71.0	CNA
curl	curl	𝑥 ≤ 7.70.0	CNA
curl	curl	𝑥 ≤ 7.69.1	CNA
curl	curl	𝑥 ≤ 7.69.0	CNA
curl	curl	𝑥 ≤ 7.68.0	CNA
curl	curl	𝑥 ≤ 7.67.0	CNA
curl	curl	𝑥 ≤ 7.66.0	CNA
curl	curl	𝑥 ≤ 7.65.3	CNA
curl	curl	𝑥 ≤ 7.65.2	CNA
curl	curl	𝑥 ≤ 7.65.1	CNA
curl	curl	𝑥 ≤ 7.65.0	CNA
curl	curl	𝑥 ≤ 7.64.1	CNA
curl	curl	𝑥 ≤ 7.64.0	CNA
curl	curl	𝑥 ≤ 7.63.0	CNA
curl	curl	𝑥 ≤ 7.62.0	CNA
curl	curl	𝑥 ≤ 7.61.1	CNA
curl	curl	𝑥 ≤ 7.61.0	CNA
curl	curl	𝑥 ≤ 7.60.0	CNA
curl	curl	𝑥 ≤ 7.59.0	CNA
curl	curl	𝑥 ≤ 7.58.0	CNA
curl	curl	𝑥 ≤ 7.57.0	CNA
curl	curl	𝑥 ≤ 7.56.1	CNA
curl	curl	𝑥 ≤ 7.56.0	CNA
curl	curl	𝑥 ≤ 7.55.1	CNA
curl	curl	𝑥 ≤ 7.55.0	CNA
curl	curl	𝑥 ≤ 7.54.1	CNA
curl	curl	𝑥 ≤ 7.54.0	CNA
curl	curl	𝑥 ≤ 7.53.1	CNA
curl	curl	𝑥 ≤ 7.53.0	CNA
curl	curl	𝑥 ≤ 7.52.1	CNA
curl	curl	𝑥 ≤ 7.52.0	CNA
curl	curl	𝑥 ≤ 7.51.0	CNA
curl	curl	𝑥 ≤ 7.50.3	CNA
curl	curl	𝑥 ≤ 7.50.2	CNA
curl	curl	𝑥 ≤ 7.50.1	CNA
curl	curl	𝑥 ≤ 7.50.0	CNA
curl	curl	𝑥 ≤ 7.49.1	CNA
curl	curl	𝑥 ≤ 7.49.0	CNA
curl	curl	𝑥 ≤ 7.48.0	CNA
curl	curl	𝑥 ≤ 7.47.1	CNA
curl	curl	𝑥 ≤ 7.47.0	CNA
curl	curl	𝑥 ≤ 7.46.0	CNA
curl	curl	𝑥 ≤ 7.45.0	CNA
curl	curl	𝑥 ≤ 7.44.0	CNA
curl	curl	𝑥 ≤ 7.43.0	CNA
curl	curl	𝑥 ≤ 7.42.1	CNA
curl	curl	𝑥 ≤ 7.42.0	CNA
curl	curl	𝑥 ≤ 7.41.0	CNA
curl	curl	𝑥 ≤ 7.40.0	CNA

Debian Releases

Debian Product

Codename

curl

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	postponed
bullseye (security)	vulnerable
forky	8.20.0-1 fixed
sid	8.20.0-1 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

curl

bionic	needed
focal	needed
jammy	Fixed 7.81.0-1ubuntu1.24 released
noble	Fixed 8.5.0-2ubuntu10.9 released
questing	Fixed 8.14.1-2ubuntu1.3 released
resolute	Fixed 8.18.0-1ubuntu2.1 released
trusty	not-affected
xenial	needed

Known Exploits!

Common Weakness Enumeration

CWE-918 - Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Vulnerability Media Exposure

[GERMAN] cURL: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in cURL ausnutzen, um Sicherheitsvorkehrungen zu umgehen, vertrauliche Informationen offenzulegen oder Daten zu manipulieren.
Published: 2026-04-28T22:00:00+00:00

References

https://curl.se/docs/CVE-2026-5773.html

https://curl.se/docs/CVE-2026-5773.json

https://hackerone.com/reports/3650689

http://www.openwall.com/lists/oss-security/2026/04/29/9

https://hackerone.com/reports/3650689