CVE-2026-7168

EUVD-2026-29932
Successfully using libcurl to do a transfer over a specific HTTP proxy
(`proxyA`) with **Digest** authentication and then changing the proxy host to
a second one (`proxyB`) for a second transfer, reusing the same handle, makes
libcurl wrongly pass on the `Proxy-Authorization:` header field meant for
`proxyA`, to `proxyB`.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
curlCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
curlcurl
𝑥
≤ 8.19.0
CNA
curlcurl
𝑥
≤ 8.18.0
CNA
curlcurl
𝑥
≤ 8.17.0
CNA
curlcurl
𝑥
≤ 8.16.0
CNA
curlcurl
𝑥
≤ 8.15.0
CNA
curlcurl
𝑥
≤ 8.14.1
CNA
curlcurl
𝑥
≤ 8.14.0
CNA
curlcurl
𝑥
≤ 8.13.0
CNA
curlcurl
𝑥
≤ 8.12.1
CNA
curlcurl
𝑥
≤ 8.12.0
CNA
curlcurl
𝑥
≤ 8.11.1
CNA
curlcurl
𝑥
≤ 8.11.0
CNA
curlcurl
𝑥
≤ 8.10.1
CNA
curlcurl
𝑥
≤ 8.10.0
CNA
curlcurl
𝑥
≤ 8.9.1
CNA
curlcurl
𝑥
≤ 8.9.0
CNA
curlcurl
𝑥
≤ 8.8.0
CNA
curlcurl
𝑥
≤ 8.7.1
CNA
curlcurl
𝑥
≤ 8.7.0
CNA
curlcurl
𝑥
≤ 8.6.0
CNA
curlcurl
𝑥
≤ 8.5.0
CNA
curlcurl
𝑥
≤ 8.4.0
CNA
curlcurl
𝑥
≤ 8.3.0
CNA
curlcurl
𝑥
≤ 8.2.1
CNA
curlcurl
𝑥
≤ 8.2.0
CNA
curlcurl
𝑥
≤ 8.1.2
CNA
curlcurl
𝑥
≤ 8.1.1
CNA
curlcurl
𝑥
≤ 8.1.0
CNA
curlcurl
𝑥
≤ 8.0.1
CNA
curlcurl
𝑥
≤ 8.0.0
CNA
curlcurl
𝑥
≤ 7.88.1
CNA
curlcurl
𝑥
≤ 7.88.0
CNA
curlcurl
𝑥
≤ 7.87.0
CNA
curlcurl
𝑥
≤ 7.86.0
CNA
curlcurl
𝑥
≤ 7.85.0
CNA
curlcurl
𝑥
≤ 7.84.0
CNA
curlcurl
𝑥
≤ 7.83.1
CNA
curlcurl
𝑥
≤ 7.83.0
CNA
curlcurl
𝑥
≤ 7.82.0
CNA
curlcurl
𝑥
≤ 7.81.0
CNA
curlcurl
𝑥
≤ 7.80.0
CNA
curlcurl
𝑥
≤ 7.79.1
CNA
curlcurl
𝑥
≤ 7.79.0
CNA
curlcurl
𝑥
≤ 7.78.0
CNA
curlcurl
𝑥
≤ 7.77.0
CNA
curlcurl
𝑥
≤ 7.76.1
CNA
curlcurl
𝑥
≤ 7.76.0
CNA
curlcurl
𝑥
≤ 7.75.0
CNA
curlcurl
𝑥
≤ 7.74.0
CNA
curlcurl
𝑥
≤ 7.73.0
CNA
curlcurl
𝑥
≤ 7.72.0
CNA
curlcurl
𝑥
≤ 7.71.1
CNA
curlcurl
𝑥
≤ 7.71.0
CNA
curlcurl
𝑥
≤ 7.70.0
CNA
curlcurl
𝑥
≤ 7.69.1
CNA
curlcurl
𝑥
≤ 7.69.0
CNA
curlcurl
𝑥
≤ 7.68.0
CNA
curlcurl
𝑥
≤ 7.67.0
CNA
curlcurl
𝑥
≤ 7.66.0
CNA
curlcurl
𝑥
≤ 7.65.3
CNA
curlcurl
𝑥
≤ 7.65.2
CNA
curlcurl
𝑥
≤ 7.65.1
CNA
curlcurl
𝑥
≤ 7.65.0
CNA
curlcurl
𝑥
≤ 7.64.1
CNA
curlcurl
𝑥
≤ 7.64.0
CNA
curlcurl
𝑥
≤ 7.63.0
CNA
curlcurl
𝑥
≤ 7.62.0
CNA
curlcurl
𝑥
≤ 7.61.1
CNA
curlcurl
𝑥
≤ 7.61.0
CNA
curlcurl
𝑥
≤ 7.60.0
CNA
curlcurl
𝑥
≤ 7.59.0
CNA
curlcurl
𝑥
≤ 7.58.0
CNA
curlcurl
𝑥
≤ 7.57.0
CNA
curlcurl
𝑥
≤ 7.56.1
CNA
curlcurl
𝑥
≤ 7.56.0
CNA
curlcurl
𝑥
≤ 7.55.1
CNA
curlcurl
𝑥
≤ 7.55.0
CNA
curlcurl
𝑥
≤ 7.54.1
CNA
curlcurl
𝑥
≤ 7.54.0
CNA
curlcurl
𝑥
≤ 7.53.1
CNA
curlcurl
𝑥
≤ 7.53.0
CNA
curlcurl
𝑥
≤ 7.52.1
CNA
curlcurl
𝑥
≤ 7.52.0
CNA
curlcurl
𝑥
≤ 7.51.0
CNA
curlcurl
𝑥
≤ 7.50.3
CNA
curlcurl
𝑥
≤ 7.50.2
CNA
curlcurl
𝑥
≤ 7.50.1
CNA
curlcurl
𝑥
≤ 7.50.0
CNA
curlcurl
𝑥
≤ 7.49.1
CNA
curlcurl
𝑥
≤ 7.49.0
CNA
curlcurl
𝑥
≤ 7.48.0
CNA
curlcurl
𝑥
≤ 7.47.1
CNA
curlcurl
𝑥
≤ 7.47.0
CNA
curlcurl
𝑥
≤ 7.46.0
CNA
curlcurl
𝑥
≤ 7.45.0
CNA
curlcurl
𝑥
≤ 7.44.0
CNA
curlcurl
𝑥
≤ 7.43.0
CNA
curlcurl
𝑥
≤ 7.42.1
CNA
curlcurl
𝑥
≤ 7.42.0
CNA
curlcurl
𝑥
≤ 7.41.0
CNA
curlcurl
𝑥
≤ 7.40.0
CNA
curlcurl
𝑥
≤ 7.39.0
CNA
curlcurl
𝑥
≤ 7.38.0
CNA
curlcurl
𝑥
≤ 7.37.1
CNA
curlcurl
𝑥
≤ 7.37.0
CNA
curlcurl
𝑥
≤ 7.36.0
CNA
curlcurl
𝑥
≤ 7.35.0
CNA
curlcurl
𝑥
≤ 7.34.0
CNA
curlcurl
𝑥
≤ 7.33.0
CNA
curlcurl
𝑥
≤ 7.32.0
CNA
curlcurl
𝑥
≤ 7.31.0
CNA
curlcurl
𝑥
≤ 7.30.0
CNA
curlcurl
𝑥
≤ 7.29.0
CNA
curlcurl
𝑥
≤ 7.28.1
CNA
curlcurl
𝑥
≤ 7.28.0
CNA
curlcurl
𝑥
≤ 7.27.0
CNA
curlcurl
𝑥
≤ 7.26.0
CNA
curlcurl
𝑥
≤ 7.25.0
CNA
curlcurl
𝑥
≤ 7.24.0
CNA
curlcurl
𝑥
≤ 7.23.1
CNA
curlcurl
𝑥
≤ 7.23.0
CNA
curlcurl
𝑥
≤ 7.22.0
CNA
curlcurl
𝑥
≤ 7.21.7
CNA
curlcurl
𝑥
≤ 7.21.6
CNA
curlcurl
𝑥
≤ 7.21.5
CNA
curlcurl
𝑥
≤ 7.21.4
CNA
curlcurl
𝑥
≤ 7.21.3
CNA
curlcurl
𝑥
≤ 7.21.2
CNA
curlcurl
𝑥
≤ 7.21.1
CNA
curlcurl
𝑥
≤ 7.21.0
CNA
curlcurl
𝑥
≤ 7.20.1
CNA
curlcurl
𝑥
≤ 7.20.0
CNA
curlcurl
𝑥
≤ 7.19.7
CNA
curlcurl
𝑥
≤ 7.19.6
CNA
curlcurl
𝑥
≤ 7.19.5
CNA
curlcurl
𝑥
≤ 7.19.4
CNA
curlcurl
𝑥
≤ 7.19.3
CNA
curlcurl
𝑥
≤ 7.19.2
CNA
curlcurl
𝑥
≤ 7.19.1
CNA
curlcurl
𝑥
≤ 7.19.0
CNA
curlcurl
𝑥
≤ 7.18.2
CNA
curlcurl
𝑥
≤ 7.18.1
CNA
curlcurl
𝑥
≤ 7.18.0
CNA
curlcurl
𝑥
≤ 7.17.1
CNA
curlcurl
𝑥
≤ 7.17.0
CNA
curlcurl
𝑥
≤ 7.16.4
CNA
curlcurl
𝑥
≤ 7.16.3
CNA
curlcurl
𝑥
≤ 7.16.2
CNA
curlcurl
𝑥
≤ 7.16.1
CNA
curlcurl
𝑥
≤ 7.16.0
CNA
curlcurl
𝑥
≤ 7.15.5
CNA
curlcurl
𝑥
≤ 7.15.4
CNA
curlcurl
𝑥
≤ 7.15.3
CNA
curlcurl
𝑥
≤ 7.15.2
CNA
curlcurl
𝑥
≤ 7.15.1
CNA
curlcurl
𝑥
≤ 7.15.0
CNA
curlcurl
𝑥
≤ 7.14.1
CNA
curlcurl
𝑥
≤ 7.14.0
CNA
curlcurl
𝑥
≤ 7.13.2
CNA
curlcurl
𝑥
≤ 7.13.1
CNA
curlcurl
𝑥
≤ 7.13.0
CNA
curlcurl
𝑥
≤ 7.12.3
CNA
curlcurl
𝑥
≤ 7.12.2
CNA
curlcurl
𝑥
≤ 7.12.1
CNA
curlcurl
𝑥
≤ 7.12.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
curl
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
8.20.0-1
fixed
sid
8.20.0-1
fixed
trixie
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
curl
bionic
needs-triage
focal
needs-triage
jammy
Fixed 7.81.0-1ubuntu1.24
released
noble
Fixed 8.5.0-2ubuntu10.9
released
questing
Fixed 8.14.1-2ubuntu1.3
released
resolute
Fixed 8.18.0-1ubuntu2.1
released
trusty
needs-triage
xenial
needs-triage
Vulnerability Media Exposure
References
https://curl.se/docs/CVE-2026-7168.html
https://curl.se/docs/CVE-2026-7168.json
https://hackerone.com/reports/3697719
http://www.openwall.com/lists/oss-security/2026/04/29/14
https://hackerone.com/reports/3697719