Improper Certificate Validation in cURL - CVE-2026-8286
Published: June 24, 2026
Vulnerability identifier: #VU135081
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-8286
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL
cURL
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass TLS certificate validation.
The vulnerability exists due to improper certificate validation in connection reuse logic for STARTTLS-enabled protocol handling when reusing an existing live connection for a new transfer. A remote attacker can cause a transfer to reuse a connection with mismatched TLS settings to bypass TLS certificate validation.
This affects transfers using IMAP, POP3, SMTP, FTP, or LDAP schemes that begin in cleartext and are upgraded to TLS with STARTTLS.
How to mitigate CVE-2026-8286
Install security update from vendor's website.