Exposure of Data Element to Wrong Session in cURL - CVE-2026-8458
Published: June 24, 2026
Vulnerability identifier: #VU135076
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-8458
CWE-ID: CWE-488
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL
cURL
Detailed vulnerability description
The vulnerability allows a remote user to expose data to the wrong session.
The vulnerability exists due to exposure of data element to wrong session in libcurl connection reuse logic when reusing Negotiate-authenticated connections across different services. A remote user can issue a request that wrongfully reuses an existing authenticated connection to expose data to the wrong session.
The issue only occurs when using the same hostname, port number, and credentials, and when the previous connection remains alive in the connection pool.
How to mitigate CVE-2026-8458
Install security update from vendor's website.