CVE-2026-8926
Discovered by AISLEPUBLISHEDCWE-522 Insufficiently Protected Credentials
Description
When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://[email protected]/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| curl | curl | 8.20.0 | affected |
| curl | curl | 8.19.0 | — |
| curl | curl | 8.18.0 | — |
| curl | curl | 8.17.0 | — |
| curl | curl | 8.16.0 | — |
| curl | curl | 8.15.0 | — |
| curl | curl | 8.14.1 | — |
| curl | curl | 8.14.0 | — |
| curl | curl | 8.13.0 | — |
| curl | curl | 8.12.1 | — |
| curl | curl | 8.12.0 | — |
| curl | curl | 8.11.1 | — |
Credits
- Joshua Rogers (Aisle Research)(finder)
- Stefan Eissing(remediation developer)