SB2026071777 - Anolis OS update for curl
Published: July 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2026-5545)
CWE-ID: CWE-305 - Authentication Bypass by Primary Weakness
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to wrong reuse of HTTP Negotiate authentication connection. A remote attacker can execute arbitrary requests under the wrong user context.
2) Insufficiently protected credentials (CVE-ID: CVE-2026-6253)
CWE-ID: CWE-522 - Insufficiently Protected Credentials
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to insufficiently protected credentials over redirect-to proxy. A remote attacker can gain access to sensitive information on the system.
3) Origin validation error (CVE-ID: CVE-2026-6276)
CWE-ID: CWE-346 - Origin Validation Error
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to origin validation error within stale custom cookie host. A remote attacker can gain access to sensitive information on the system.
4) Information disclosure (CVE-ID: CVE-2026-6429)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application when reused proxy connection. A remote attacker can gain unauthorized access to sensitive information on the system.
5) Insertion of Sensitive Information Into Sent Data (CVE-ID: CVE-2026-8924)
CWE-ID: CWE-201 - Insertion of Sensitive Information Into Sent Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper cookie domain validation in cookie parsing logic when processing a cookie with a trailing-dot domain for a trailing-dot hostname. A remote attacker can send a specially crafted HTTP response that sets a super cookie to disclose sensitive information.
This issue is exploitable through both libcurl and the curl command line tool, and it bypasses the Public Suffix List check.
6) Authentication Bypass by Capture-replay (CVE-ID: CVE-2026-8927)
CWE-ID: CWE-294 - Authentication Bypass by Capture-replay
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to impersonate the client to another proxy.
The vulnerability exists due to authentication bypass by capture-replay in libcurl proxy authentication state handling when reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration. A remote user can receive a leaked Proxy-Authorization header on a subsequent request to impersonate the client to another proxy.
The issue affects libcurl and does not affect the curl command line tool.
7) Improper validation of certificate with host mismatch (CVE-ID: CVE-2026-9547)
CWE-ID: CWE-297 - Improper Validation of Certificate with Host Mismatch
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a man-in-the-middle attack.
The vulnerability exists due to improper validation of certificate with host mismatch in the CURLOPT_SSH_KEYFUNCTION callback when validating SSH host keys for SCP:// or SFTP:// transfers. A remote attacker can present a host key type that does not match the key type already recorded for the host in the known_hosts file to perform a man-in-the-middle attack.
Only libcurl-based applications built with the libssh backend and using the callback are vulnerable. The curl command line tool is not affected.
Remediation
Install update from vendor's website.