CVE-2026-6429

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-6429
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://curl.se/docs/CVE-2026-6429.html Patch Vendor Advisory
https://curl.se/docs/CVE-2026-6429.json Product
https://hackerone.com/reports/3677759 Exploit Issue Tracking Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
History

14 May 2026, 14:18

Type Values Removed Values Added
First Time Haxx
Haxx curl
CPE cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
References () https://curl.se/docs/CVE-2026-6429.html - () https://curl.se/docs/CVE-2026-6429.html - Patch, Vendor Advisory
References () https://curl.se/docs/CVE-2026-6429.json - () https://curl.se/docs/CVE-2026-6429.json - Product
References () https://hackerone.com/reports/3677759 - () https://hackerone.com/reports/3677759 - Exploit, Issue Tracking, Third Party Advisory

13 May 2026, 14:50

Type Values Removed Values Added
New CVE
Information

Published : 2026-05-13 13:01

Updated : 2026-06-17 11:00

NVD link : CVE-2026-6429

Mitre link : CVE-2026-6429

CVE.ORG link : CVE-2026-6429

JSON object : View

Products Affected

haxx

  • curl
CWE
NVD-CWE-noinfo