Authentication Bypass by Capture-replay in cURL - CVE-2026-11856
Published: June 24, 2026
Vulnerability identifier: #VU135075
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-11856
CWE-ID: CWE-294
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL
cURL
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass authentication by replaying Digest authentication state.
The vulnerability exists due to authentication bypass by capture-replay in libcurl Digest authentication handling when reusing the same handle for a second transfer to a different HTTP origin. A remote attacker can receive a request containing an Authorization header intended for another origin to bypass authentication by replaying Digest authentication state.
The issue affects libcurl but not the curl command line tool. The leaked header does not reveal the other origin, and the exposed state allows replay only for the exact path of the captured request.
How to mitigate CVE-2026-11856
Install security update from vendor's website.