Successfully using libcurl to do a transfer to a specific HTTP origin
(`hostA`) with **Digest** authentication and then changing the origin to a
different one (`hostB`) for a second transfer, reusing the same handle, makes
libcurl wrongly pass on the `Authorization:` header field meant for `hostA`,
to `hostB`.
References
| Link | Resource |
|---|---|
| https://curl.se/docs/CVE-2026-11856.html | Patch Vendor Advisory |
| https://curl.se/docs/CVE-2026-11856.json | Vendor Advisory |
| https://hackerone.com/reports/3793260 | Exploit Issue Tracking Third Party Advisory |
| https://hackerone.com/reports/3793260 | Exploit Issue Tracking Third Party Advisory |
Configurations
History
07 Jul 2026, 19:43
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Haxx curl
Haxx |
|
| CPE | cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | |
| References | () https://curl.se/docs/CVE-2026-11856.html - Patch, Vendor Advisory | |
| References | () https://curl.se/docs/CVE-2026-11856.json - Vendor Advisory | |
| References | () https://hackerone.com/reports/3793260 - Exploit, Issue Tracking, Third Party Advisory | |
| CWE | CWE-294 |
06 Jul 2026, 19:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://hackerone.com/reports/3793260 - | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
03 Jul 2026, 07:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-03 07:16
Updated : 2026-07-07 19:43
NVD link : CVE-2026-11856
Mitre link : CVE-2026-11856
CVE.ORG link : CVE-2026-11856
JSON object : View
Products Affected
haxx
- curl
CWE
CWE-294
Authentication Bypass by Capture-replay
