CVE-2026-6276

EUVD-2026-29928
Using libcurl, when a custom `Host:` header is first set for an HTTP request
and a second request is subsequently done using the same *easy handle* but
without the custom `Host:` header set, the second request would use stale
information and pass on cookies meant for the first host in the second
request. Leak them.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
curlCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
curlcurl
𝑥
≤ 8.19.0
CNA
curlcurl
𝑥
≤ 8.18.0
CNA
curlcurl
𝑥
≤ 8.17.0
CNA
curlcurl
𝑥
≤ 8.16.0
CNA
curlcurl
𝑥
≤ 8.15.0
CNA
curlcurl
𝑥
≤ 8.14.1
CNA
curlcurl
𝑥
≤ 8.14.0
CNA
curlcurl
𝑥
≤ 8.13.0
CNA
curlcurl
𝑥
≤ 8.12.1
CNA
curlcurl
𝑥
≤ 8.12.0
CNA
curlcurl
𝑥
≤ 8.11.1
CNA
curlcurl
𝑥
≤ 8.11.0
CNA
curlcurl
𝑥
≤ 8.10.1
CNA
curlcurl
𝑥
≤ 8.10.0
CNA
curlcurl
𝑥
≤ 8.9.1
CNA
curlcurl
𝑥
≤ 8.9.0
CNA
curlcurl
𝑥
≤ 8.8.0
CNA
curlcurl
𝑥
≤ 8.7.1
CNA
curlcurl
𝑥
≤ 8.7.0
CNA
curlcurl
𝑥
≤ 8.6.0
CNA
curlcurl
𝑥
≤ 8.5.0
CNA
curlcurl
𝑥
≤ 8.4.0
CNA
curlcurl
𝑥
≤ 8.3.0
CNA
curlcurl
𝑥
≤ 8.2.1
CNA
curlcurl
𝑥
≤ 8.2.0
CNA
curlcurl
𝑥
≤ 8.1.2
CNA
curlcurl
𝑥
≤ 8.1.1
CNA
curlcurl
𝑥
≤ 8.1.0
CNA
curlcurl
𝑥
≤ 8.0.1
CNA
curlcurl
𝑥
≤ 8.0.0
CNA
curlcurl
𝑥
≤ 7.88.1
CNA
curlcurl
𝑥
≤ 7.88.0
CNA
curlcurl
𝑥
≤ 7.87.0
CNA
curlcurl
𝑥
≤ 7.86.0
CNA
curlcurl
𝑥
≤ 7.85.0
CNA
curlcurl
𝑥
≤ 7.84.0
CNA
curlcurl
𝑥
≤ 7.83.1
CNA
curlcurl
𝑥
≤ 7.83.0
CNA
curlcurl
𝑥
≤ 7.82.0
CNA
curlcurl
𝑥
≤ 7.81.0
CNA
curlcurl
𝑥
≤ 7.80.0
CNA
curlcurl
𝑥
≤ 7.79.1
CNA
curlcurl
𝑥
≤ 7.79.0
CNA
curlcurl
𝑥
≤ 7.78.0
CNA
curlcurl
𝑥
≤ 7.77.0
CNA
curlcurl
𝑥
≤ 7.76.1
CNA
curlcurl
𝑥
≤ 7.76.0
CNA
curlcurl
𝑥
≤ 7.75.0
CNA
curlcurl
𝑥
≤ 7.74.0
CNA
curlcurl
𝑥
≤ 7.73.0
CNA
curlcurl
𝑥
≤ 7.72.0
CNA
curlcurl
𝑥
≤ 7.71.1
CNA
curlcurl
𝑥
≤ 7.71.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
8.20.0-1
fixed
sid
8.20.0-1
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
bionic
not-affected
focal
not-affected
jammy
Fixed 7.81.0-1ubuntu1.24
released
noble
Fixed 8.5.0-2ubuntu10.9
released
questing
Fixed 8.14.1-2ubuntu1.3
released
resolute
Fixed 8.18.0-1ubuntu2.1
released
trusty
not-affected
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
curl
suse enterprise sap 15 SP4
8.14.1-150400.5.83.1
fixed
suse enterprise sap 15 SP5
8.14.1-150400.5.83.1
fixed
suse enterprise server 15 SP4
8.14.1-150400.5.83.1
fixed
suse enterprise server 15 SP5
8.14.1-150400.5.83.1
fixed
libcurl-devel
suse enterprise sap 15 SP4
8.14.1-150400.5.83.1
fixed
suse enterprise sap 15 SP5
8.14.1-150400.5.83.1
fixed
suse enterprise server 15 SP4
8.14.1-150400.5.83.1
fixed
suse enterprise server 15 SP5
8.14.1-150400.5.83.1
fixed
libcurl4
suse enterprise sap 15 SP4
8.14.1-150400.5.83.1
fixed
suse enterprise sap 15 SP5
8.14.1-150400.5.83.1
fixed
suse enterprise server 15 SP4
8.14.1-150400.5.83.1
fixed
suse enterprise server 15 SP5
8.14.1-150400.5.83.1
fixed
libcurl4-32bit
suse enterprise sap 15 SP4
8.14.1-150400.5.83.1
fixed
suse enterprise sap 15 SP5
8.14.1-150400.5.83.1
fixed
suse enterprise server 15 SP4
8.14.1-150400.5.83.1
fixed
suse enterprise server 15 SP5
8.14.1-150400.5.83.1
fixed
Vulnerability Media Exposure
References
https://curl.se/docs/CVE-2026-6276.html
https://curl.se/docs/CVE-2026-6276.json
https://hackerone.com/reports/3671818
http://www.openwall.com/lists/oss-security/2026/04/29/13
https://hackerone.com/reports/3671818