Information disclosure in cURL - CVE-2026-9545
Published: June 24, 2026
Vulnerability identifier: #VU135087
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-9545
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: curl.haxx.se
Affected software:
cURL
cURL
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in libcurl HTTP/3 handling when reusing a cached SSL session with early data enabled after the original server is replaced by an impostor machine. A remote attacker can replace the server with an impostor machine and cause libcurl to send request bytes before certificate verification failure is enforced to disclose sensitive information.
This issue is specific to HTTP/3 with the ngtcp2 + nghttp3 backend and requires SSL session caching to remain enabled and TLS early data to be enabled.
How to mitigate CVE-2026-9545
Install security update from vendor's website.