CVE-2026-8926

Discovered by AISLEPUBLISHEDCWE-522 Insufficiently Protected Credentials

Description

When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://[email protected]/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.

Affected Products

VendorProductVersionStatus
curlcurl8.20.0affected
curlcurl8.19.0
curlcurl8.18.0
curlcurl8.17.0
curlcurl8.16.0
curlcurl8.15.0
curlcurl8.14.1
curlcurl8.14.0
curlcurl8.13.0
curlcurl8.12.1
curlcurl8.12.0
curlcurl8.11.1

Credits

  • Joshua Rogers (Aisle Research)(finder)
  • Stefan Eissing(remediation developer)

References