Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11856

CVE-2026-11856: Haxx Curl Auth Bypass Vulnerability

CVE-2026-11856 is an authentication bypass flaw in Haxx Curl where libcurl incorrectly sends Digest authentication headers to unintended hosts. This post covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-11856 Overview

CVE-2026-11856 is an authentication credential leak in libcurl affecting HTTP Digest authentication handling. When an application reuses a curl handle to perform sequential transfers, libcurl fails to clear the Authorization: header when the request origin changes. A transfer initially targeting hostA with Digest authentication will cause the credentials to be forwarded to hostB on the subsequent transfer. This exposes authentication material to unintended hosts controlled by attackers or third parties. The flaw is tracked under CWE-294: Authentication Bypass by Capture-replay.

Critical Impact

Applications reusing curl handles across HTTP origins can inadvertently disclose Digest authentication headers to unintended hosts, enabling credential capture and potential replay attacks.

Affected Products

  • Haxx curl / libcurl (see vendor advisory for specific version ranges)
  • Applications and language bindings that link against affected libcurl builds
  • Server-side tooling and clients performing multi-host HTTP transfers with reused handles

Discovery Timeline

  • 2026-07-03 - CVE-2026-11856 published to the National Vulnerability Database
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-11856

Vulnerability Analysis

libcurl allows applications to reuse a single easy handle across multiple transfers to improve connection reuse and performance. When the first transfer targets hostA using HTTP Digest authentication, libcurl computes and attaches an Authorization: header derived from the server-provided nonce and the credentials configured on the handle. On a subsequent transfer, the application may change the target URL to hostB. libcurl does not properly scope the previously generated Authorization: header to the original origin. Instead, it sends that header to hostB, leaking Digest response material to an unintended host. An attacker who controls or observes hostB can capture the header and attempt offline cracking or replay against the original service, depending on nonce reuse and configuration.

Root Cause

The root cause is improper origin-binding of authentication state carried on the reused handle. Digest Authorization: headers must be scoped to the origin that issued the corresponding WWW-Authenticate challenge. libcurl retains the previously generated header on the handle and applies it to the next request without validating that the new URL matches the origin the credentials were computed against.

Attack Vector

Exploitation requires an application that reuses a libcurl easy handle to perform transfers to multiple origins after using Digest authentication. An attacker who can influence the destination of the second transfer, operate a malicious server that receives it, or perform network interception on the second transfer can capture the leaked Authorization: header. The attack vector is network-based and requires no user interaction. This scenario is common in scrapers, API clients, redirect-followers, and orchestration tools built on libcurl.

No verified public exploit code was available at the time of writing. Refer to the cURL CVE-2026-11856 Advisory and HackerOne Report #3793260 for authoritative technical details.

Detection Methods for CVE-2026-11856

Indicators of Compromise

  • Outbound HTTP requests to unexpected hosts containing Authorization: Digest headers with username, realm, and response fields belonging to another service.
  • Web server or proxy logs showing Digest Authorization: values received from clients that were not previously challenged by that host.
  • Repeated identical nonce values appearing in Digest headers sent to multiple distinct hostnames from the same client.

Detection Strategies

  • Inspect egress HTTP traffic at a TLS-terminating proxy for Authorization: headers whose realm does not match the destination host.
  • Audit applications that use libcurl handle reuse (curl_easy_reset versus full handle destruction) and correlate transfers that switch hostnames between calls.
  • Review dependency inventories for the linked libcurl version and match against the fixed versions listed in the vendor advisory.

Monitoring Recommendations

  • Alert on Digest Authorization: headers observed on connections to hosts outside an approved allowlist for authenticated APIs.
  • Log and review all outbound requests made by services known to iterate over user-supplied or redirect-derived URLs.
  • Track libcurl version telemetry across servers and container images to identify unpatched deployments.

How to Mitigate CVE-2026-11856

Immediate Actions Required

  • Upgrade libcurl to the fixed version identified in the cURL CVE-2026-11856 Advisory across all systems, container images, and language bindings.
  • Rotate any Digest credentials that may have been transmitted to unintended hosts through handle reuse.
  • Audit application code for handle reuse patterns that switch between HTTP origins after Digest authentication.

Patch Information

The curl project has published fix details and affected version ranges in the vendor advisory. Consult the cURL CVE-2026-11856 JSON Data for machine-readable version and patch metadata, and rebuild or repackage dependent software against the patched libcurl release.

Workarounds

  • Destroy and recreate the curl easy handle (curl_easy_cleanup followed by curl_easy_init) between transfers targeting different origins instead of reusing it.
  • Explicitly clear the Authorization: header on the handle with CURLOPT_HTTPHEADER set to an empty replacement before switching origins.
  • Disable Digest authentication where a weaker requirement suffices, or restrict CURLOPT_HTTPAUTH to a single origin per handle lifecycle.
bash
# Configuration example - verify installed libcurl version and plan upgrade
curl --version
ldconfig -p | grep libcurl
# Consult https://curl.se/docs/CVE-2026-11856.html for the fixed release

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.