Improper Certificate Validation in cURL - CVE-2026-11564
Published: June 24, 2026
Vulnerability identifier: #VU135073
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-11564
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL
cURL
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certificate trust restrictions.
The vulnerability exists due to improper certificate validation in libcurl connection reuse logic when reusing an easy handle after switching from native CA trust to custom CA material. A remote attacker can present a TLS certificate trusted by the native platform store to bypass certificate trust restrictions.
This issue applies to builds that use Native CA by default on Apple operating systems or Windows, and affects the OpenSSL, GnuTLS, Schannel, and Rustls TLS backends.
How to mitigate CVE-2026-11564
Install security update from vendor's website.