CVE-2026-9547

Discovered by AISLEPUBLISHEDCWE-297 Improper Validation of Certificate with Host Mismatch

Description

When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.

Affected Products

VendorProductVersionStatus
curlcurl8.20.0affected
curlcurl8.19.0
curlcurl8.18.0
curlcurl8.17.0
curlcurl8.16.0
curlcurl8.15.0
curlcurl8.14.1
curlcurl8.14.0
curlcurl8.13.0
curlcurl8.12.1
curlcurl8.12.0
curlcurl8.11.1
curlcurl8.11.0
curlcurl8.10.1
curlcurl8.10.0
curlcurl8.9.1
curlcurl8.9.0
curlcurl8.8.0
curlcurl8.7.1
curlcurl8.7.0
curlcurl8.6.0
curlcurl8.5.0
curlcurl8.4.0
curlcurl8.3.0
curlcurl8.2.1
curlcurl8.2.0
curlcurl8.1.2
curlcurl8.1.1
curlcurl8.1.0
curlcurl8.0.1
curlcurl8.0.0
curlcurl7.88.1
curlcurl7.88.0
curlcurl7.87.0
curlcurl7.86.0
curlcurl7.85.0
curlcurl7.84.0
curlcurl7.83.1
curlcurl7.83.0
curlcurl7.82.0
curlcurl7.81.0
curlcurl7.80.0
curlcurl7.79.1
curlcurl7.79.0
curlcurl7.78.0
curlcurl7.77.0
curlcurl7.76.1
curlcurl7.76.0
curlcurl7.75.0
curlcurl7.74.0
curlcurl7.73.0
curlcurl7.72.0
curlcurl7.71.1
curlcurl7.71.0
curlcurl7.70.0
curlcurl7.69.1
curlcurl7.69.0

Credits

  • Joshua Rogers (Aisle Research)(finder)
  • Joshua Rogers (Aisle Research)(remediation developer)

References