A Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Five years running.A Leader in the Gartner® Magic Quadrant™Read the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly ingest data from on-prem, cloud or hybrid environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Identity Security
    • Singularity Identity
      Identity Threat Detection and Response
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-class Expertise and Threat Intelligence.
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      Digital Forensics, IRR & Breach Readiness
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive solutions for seamless security operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your go-to source for our top partners in your region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-27536

CVE-2023-27536: Haxx Libcurl Auth Bypass Vulnerability

CVE-2023-27536 is an authentication bypass flaw in Haxx Libcurl that reuses connections with incorrect user permissions in GSSAPI transfers. This article covers technical details, affected versions, and mitigation.

Published: February 4, 2026

CVE-2023-27536 Overview

An authentication bypass vulnerability exists in libcurl versions prior to 8.0.0 that affects the connection reuse feature. The flaw allows previously established connections to be reused with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability specifically impacts krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information.

Critical Impact

Applications using libcurl with Kerberos/GSSAPI authentication may inadvertently reuse connections with stale delegation settings, potentially exposing sensitive data to unauthorized parties.

Affected Products

  • Haxx libcurl (versions prior to 8.0.0)
  • Fedora Project Fedora 36
  • Debian Linux 10.0
  • NetApp Active IQ Unified Manager for VMware vSphere
  • NetApp H300S, H500S, H700S, H410S Firmware
  • NetApp ONTAP 9
  • Splunk Universal Forwarder

Discovery Timeline

  • 2023-03-30 - CVE-2023-27536 published to NVD
  • 2025-02-14 - Last updated in NVD database

Technical Details for CVE-2023-27536

Vulnerability Analysis

This authentication bypass vulnerability stems from improper handling of the CURLOPT_GSSAPI_DELEGATION option when libcurl's connection reuse mechanism is active. When an application modifies the GSSAPI delegation settings between requests, libcurl fails to recognize this change and may reuse an existing connection that was established with different delegation permissions.

In Kerberos authentication scenarios, GSSAPI delegation controls whether the client's credentials can be forwarded to the server. The delegation setting determines the level of trust and access rights granted to the remote service. When this option changes but the connection persists with the original settings, it creates a security boundary violation.

The vulnerability is classified under CWE-305 (Authentication Bypass by Primary Weakness) and CWE-287 (Improper Authentication), reflecting the core issue of credential handling during connection lifecycle management.

Root Cause

The root cause lies in libcurl's connection pooling logic, which did not properly compare the CURLOPT_GSSAPI_DELEGATION setting when determining whether an existing connection could be reused. The connection matching algorithm evaluated other authentication parameters but overlooked changes to the GSSAPI delegation flag, allowing a connection established with one delegation policy to be reused after the application explicitly requested a different policy.

Attack Vector

This vulnerability requires a network-based attack vector. An attacker would need to be in a position to benefit from the improper delegation settings. The attack scenario involves an application that legitimately changes its GSSAPI delegation settings between requests—expecting the second request to use different credentials or permissions than the first.

In practical terms, this could occur when:

  1. An application makes an initial request with full credential delegation enabled
  2. The application then changes CURLOPT_GSSAPI_DELEGATION to disable or restrict delegation for security reasons
  3. Due to connection reuse, the second request continues using the original connection with full delegation still active
  4. Any service receiving this request could inappropriately receive delegated credentials

The safest mitigation is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed. Alternatively, upgrading to libcurl 8.0.0 or later resolves this issue entirely.

Detection Methods for CVE-2023-27536

Indicators of Compromise

  • Unexpected Kerberos ticket forwarding observed in authentication logs
  • GSSAPI delegation occurring when application configuration indicates it should be disabled
  • Connection reuse patterns in curl-based applications using Kerberos authentication
  • Anomalous credential delegation events in Kerberos KDC logs

Detection Strategies

  • Monitor applications using libcurl with Kerberos/GSSAPI authentication for version compliance
  • Audit systems for libcurl versions prior to 8.0.0 using package management queries
  • Review application code for usage patterns involving CURLOPT_GSSAPI_DELEGATION changes between requests
  • Implement network monitoring for unexpected credential delegation in Kerberos environments

Monitoring Recommendations

  • Enable verbose logging in applications using libcurl to track connection reuse behavior
  • Monitor Kerberos authentication logs for delegation events that don't match expected application behavior
  • Establish baseline patterns for GSSAPI authentication flows to detect anomalies
  • Correlate application-level curl configuration changes with network authentication events

How to Mitigate CVE-2023-27536

Immediate Actions Required

  • Upgrade libcurl to version 8.0.0 or later across all affected systems
  • Audit applications for usage of CURLOPT_GSSAPI_DELEGATION option with connection reuse
  • Disable connection reuse in applications that modify GSSAPI delegation settings between requests
  • Review and update dependent packages including Splunk Universal Forwarder and NetApp products

Patch Information

The vulnerability was addressed in libcurl version 8.0.0. Organizations should upgrade to this version or later to fully remediate the issue. For systems where immediate upgrade is not possible, vendor-specific patches are available from multiple sources:

  • Debian LTS Announcement April 2023
  • Fedora Package Announcement
  • Gentoo GLSA 2023-10-12
  • NetApp Security Advisory NTAP-20230420-0010

The original vulnerability report can be found at HackerOne Report #1895135.

Workarounds

  • Set CURLOPT_FRESH_CONNECT to force new connections when GSSAPI delegation settings change
  • Explicitly close and recreate curl handles after modifying CURLOPT_GSSAPI_DELEGATION
  • Disable connection pooling entirely in security-sensitive applications using CURLOPT_FORBID_REUSE
  • Implement application-level connection management that tracks delegation state changes
bash
# Configuration example - Disable connection reuse in curl
# When using command-line curl with Kerberos authentication
curl --no-keepalive --negotiate -u : https://example.com/resource

# In application code, set these options after changing GSSAPI delegation:
# CURLOPT_FRESH_CONNECT = 1  (force new connection)
# CURLOPT_FORBID_REUSE = 1   (prevent connection pooling)

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechLibcurl
  • SeverityMEDIUM
  • CVSS Score5.9
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-305
  • CWE-287
  • Technical References
  • HackerOne Report #1895135
  • Debian LTS Announcement April 2023
  • Fedora Package Announcement
  • Gentoo GLSA 2023-10-12
  • NetApp Security Advisory NTAP-20230420-0010
  • Related CVEs
  • CVE-2025-0725
  • CVE-2024-7264
  • CVE-2024-6874
  • CVE-2024-6197
  • CVE-2023-38545
  • CVE-2023-27535
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use