netrc credential leak with reused proxy connection_CVE-2026-6429

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, libcurl could leak the password used for the first host to the
followed-to host under certain circumstances.

Basic Information

ID CVE-2026-6429

Source curl

Published May 13, 2026 at 08:28

Modified May 13, 2026 at 14:03

Affected Product

Vendor curl

Product curl

Version 8.19.0

Affected Versions curl curl 8.19.0
curl curl 8.18.0
curl curl 8.17.0
curl curl 8.16.0
curl curl 8.15.0
curl curl 8.14.1
curl curl 8.14.0
curl curl 8.13.0
curl curl 8.12.1
curl curl 8.12.0
curl curl 8.11.1
curl curl 8.11.0
curl curl 8.10.1
curl curl 8.10.0
curl curl 8.9.1
curl curl 8.9.0
curl curl 8.8.0
curl curl 8.7.1
curl curl 8.7.0
curl curl 8.6.0
curl curl 8.5.0
curl curl 8.4.0
curl curl 8.3.0
curl curl 8.2.1
curl curl 8.2.0
curl curl 8.1.2
curl curl 8.1.1
curl curl 8.1.0
curl curl 8.0.1
curl curl 8.0.0
curl curl 7.88.1
curl curl 7.88.0
curl curl 7.87.0
curl curl 7.86.0
curl curl 7.85.0
curl curl 7.84.0
curl curl 7.83.1
curl curl 7.83.0
curl curl 7.82.0
curl curl 7.81.0
curl curl 7.80.0
curl curl 7.79.1
curl curl 7.79.0
curl curl 7.78.0
curl curl 7.77.0
curl curl 7.76.1
curl curl 7.76.0
curl curl 7.75.0
curl curl 7.74.0
curl curl 7.73.0
curl curl 7.72.0
curl curl 7.71.1
curl curl 7.71.0
curl curl 7.70.0
curl curl 7.69.1
curl curl 7.69.0
curl curl 7.68.0
curl curl 7.67.0
curl curl 7.66.0
curl curl 7.65.3
curl curl 7.65.2
curl curl 7.65.1
curl curl 7.65.0
curl curl 7.64.1
curl curl 7.64.0
curl curl 7.63.0
curl curl 7.62.0
curl curl 7.61.1
curl curl 7.61.0
curl curl 7.60.0
curl curl 7.59.0
curl curl 7.58.0
curl curl 7.57.0
curl curl 7.56.1
curl curl 7.56.0
curl curl 7.55.1
curl curl 7.55.0
curl curl 7.54.1
curl curl 7.54.0
curl curl 7.53.1
curl curl 7.53.0
curl curl 7.52.1
curl curl 7.52.0
curl curl 7.51.0
curl curl 7.50.3
curl curl 7.50.2
curl curl 7.50.1
curl curl 7.50.0
curl curl 7.49.1
curl curl 7.49.0
curl curl 7.48.0
curl curl 7.47.1
curl curl 7.47.0
curl curl 7.46.0
curl curl 7.45.0
curl curl 7.44.0
curl curl 7.43.0
curl curl 7.42.1
curl curl 7.42.0
curl curl 7.41.0
curl curl 7.40.0
curl curl 7.39.0
curl curl 7.38.0
curl curl 7.37.1
curl curl 7.37.0
curl curl 7.36.0
curl curl 7.35.0
curl curl 7.34.0
curl curl 7.33.0
curl curl 7.32.0
curl curl 7.31.0
curl curl 7.30.0
curl curl 7.29.0
curl curl 7.28.1
curl curl 7.28.0
curl curl 7.27.0
curl curl 7.26.0
curl curl 7.25.0
curl curl 7.24.0
curl curl 7.23.1
curl curl 7.23.0
curl curl 7.22.0
curl curl 7.21.7
curl curl 7.21.6
curl curl 7.21.5
curl curl 7.21.4
curl curl 7.21.3
curl curl 7.21.2
curl curl 7.21.1
curl curl 7.21.0
curl curl 7.20.1
curl curl 7.20.0
curl curl 7.19.7
curl curl 7.19.6
curl curl 7.19.5
curl curl 7.19.4
curl curl 7.19.3
curl curl 7.19.2
curl curl 7.19.1
curl curl 7.19.0
curl curl 7.18.2
curl curl 7.18.1
curl curl 7.18.0
curl curl 7.17.1
curl curl 7.17.0
curl curl 7.16.4
curl curl 7.16.3
curl curl 7.16.2
curl curl 7.16.1
curl curl 7.16.0
curl curl 7.15.5
curl curl 7.15.4
curl curl 7.15.3
curl curl 7.15.2
curl curl 7.15.1
curl curl 7.15.0
curl curl 7.14.1
curl curl 7.14.0

References

{
    "lastseen": "",
    "description": "When asked to both use a `.netrc` file for credentials and to follow HTTP\nredirects, libcurl could leak the password used for the first host to the\nfollowed-to host under certain circumstances.",
    "published": "2026-05-13T08:28:36.166Z",
    "modified": "2026-05-13T14:03:55.343Z",
    "type": "cve",
    "title": "netrc credential leak with reused proxy connection",
    "source": "curl",
    "references": "https://curl.se/docs/CVE-2026-6429.json\nhttps://curl.se/docs/CVE-2026-6429.html\nhttps://hackerone.com/reports/3677759",
    "id": "CVE-2026-6429",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "curl curl 8.19.0\ncurl curl 8.18.0\ncurl curl 8.17.0\ncurl curl 8.16.0\ncurl curl 8.15.0\ncurl curl 8.14.1\ncurl curl 8.14.0\ncurl curl 8.13.0\ncurl curl 8.12.1\ncurl curl 8.12.0\ncurl curl 8.11.1\ncurl curl 8.11.0\ncurl curl 8.10.1\ncurl curl 8.10.0\ncurl curl 8.9.1\ncurl curl 8.9.0\ncurl curl 8.8.0\ncurl curl 8.7.1\ncurl curl 8.7.0\ncurl curl 8.6.0\ncurl curl 8.5.0\ncurl curl 8.4.0\ncurl curl 8.3.0\ncurl curl 8.2.1\ncurl curl 8.2.0\ncurl curl 8.1.2\ncurl curl 8.1.1\ncurl curl 8.1.0\ncurl curl 8.0.1\ncurl curl 8.0.0\ncurl curl 7.88.1\ncurl curl 7.88.0\ncurl curl 7.87.0\ncurl curl 7.86.0\ncurl curl 7.85.0\ncurl curl 7.84.0\ncurl curl 7.83.1\ncurl curl 7.83.0\ncurl curl 7.82.0\ncurl curl 7.81.0\ncurl curl 7.80.0\ncurl curl 7.79.1\ncurl curl 7.79.0\ncurl curl 7.78.0\ncurl curl 7.77.0\ncurl curl 7.76.1\ncurl curl 7.76.0\ncurl curl 7.75.0\ncurl curl 7.74.0\ncurl curl 7.73.0\ncurl curl 7.72.0\ncurl curl 7.71.1\ncurl curl 7.71.0\ncurl curl 7.70.0\ncurl curl 7.69.1\ncurl curl 7.69.0\ncurl curl 7.68.0\ncurl curl 7.67.0\ncurl curl 7.66.0\ncurl curl 7.65.3\ncurl curl 7.65.2\ncurl curl 7.65.1\ncurl curl 7.65.0\ncurl curl 7.64.1\ncurl curl 7.64.0\ncurl curl 7.63.0\ncurl curl 7.62.0\ncurl curl 7.61.1\ncurl curl 7.61.0\ncurl curl 7.60.0\ncurl curl 7.59.0\ncurl curl 7.58.0\ncurl curl 7.57.0\ncurl curl 7.56.1\ncurl curl 7.56.0\ncurl curl 7.55.1\ncurl curl 7.55.0\ncurl curl 7.54.1\ncurl curl 7.54.0\ncurl curl 7.53.1\ncurl curl 7.53.0\ncurl curl 7.52.1\ncurl curl 7.52.0\ncurl curl 7.51.0\ncurl curl 7.50.3\ncurl curl 7.50.2\ncurl curl 7.50.1\ncurl curl 7.50.0\ncurl curl 7.49.1\ncurl curl 7.49.0\ncurl curl 7.48.0\ncurl curl 7.47.1\ncurl curl 7.47.0\ncurl curl 7.46.0\ncurl curl 7.45.0\ncurl curl 7.44.0\ncurl curl 7.43.0\ncurl curl 7.42.1\ncurl curl 7.42.0\ncurl curl 7.41.0\ncurl curl 7.40.0\ncurl curl 7.39.0\ncurl curl 7.38.0\ncurl curl 7.37.1\ncurl curl 7.37.0\ncurl curl 7.36.0\ncurl curl 7.35.0\ncurl curl 7.34.0\ncurl curl 7.33.0\ncurl curl 7.32.0\ncurl curl 7.31.0\ncurl curl 7.30.0\ncurl curl 7.29.0\ncurl curl 7.28.1\ncurl curl 7.28.0\ncurl curl 7.27.0\ncurl curl 7.26.0\ncurl curl 7.25.0\ncurl curl 7.24.0\ncurl curl 7.23.1\ncurl curl 7.23.0\ncurl curl 7.22.0\ncurl curl 7.21.7\ncurl curl 7.21.6\ncurl curl 7.21.5\ncurl curl 7.21.4\ncurl curl 7.21.3\ncurl curl 7.21.2\ncurl curl 7.21.1\ncurl curl 7.21.0\ncurl curl 7.20.1\ncurl curl 7.20.0\ncurl curl 7.19.7\ncurl curl 7.19.6\ncurl curl 7.19.5\ncurl curl 7.19.4\ncurl curl 7.19.3\ncurl curl 7.19.2\ncurl curl 7.19.1\ncurl curl 7.19.0\ncurl curl 7.18.2\ncurl curl 7.18.1\ncurl curl 7.18.0\ncurl curl 7.17.1\ncurl curl 7.17.0\ncurl curl 7.16.4\ncurl curl 7.16.3\ncurl curl 7.16.2\ncurl curl 7.16.1\ncurl curl 7.16.0\ncurl curl 7.15.5\ncurl curl 7.15.4\ncurl curl 7.15.3\ncurl curl 7.15.2\ncurl curl 7.15.1\ncurl curl 7.15.0\ncurl curl 7.14.1\ncurl curl 7.14.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "curl",
    "version": "8.19.0",
    "vendor": "curl",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply