Improper validation of certificate with host mismatch in cURL - CVE-2026-12064
Published: June 24, 2026
Vulnerability identifier: #VU135080
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-12064
CWE-ID: CWE-297
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL
cURL
Detailed vulnerability description
The vulnerability allows a remote attacker to connect to an unverified SSH remote host.
The vulnerability exists due to improper validation of certificate with host mismatch in the curl command line tool when processing a schemeless URL combined with --proto-default for sftp or scp. A remote attacker can present an SSH server in that connection flow to connect to an unverified SSH remote host.
This issue affects only the curl command line tool and does not affect other users of libcurl or the libcurl library itself.
How to mitigate CVE-2026-12064
Install security update from vendor's website.