Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12064

CVE-2026-12064: Haxx Curl Auth Bypass Vulnerability

CVE-2026-12064 is an authentication bypass flaw in Haxx Curl affecting SSH host verification when using schemeless URLs with --proto-default sftp. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-12064 Overview

CVE-2026-12064 affects the curl command-line tool when users combine a schemeless URL with the --proto-default sftp (or scp) option. The tool layer and libcurl disagree on how to handle the inferred scheme. The tool skips initialization of critical SSH host verification options, while libcurl still honors CURLOPT_DEFAULT_PROTOCOL and completes the SFTP or SCP connection. As a result, curl connects to an unverified SSH remote host without raising any error. This flaw maps to CWE-295: Improper Certificate Validation and impacts Haxx curl.

Critical Impact

curl silently connects to unverified SSH hosts, enabling man-in-the-middle attackers to intercept or tamper with SFTP/SCP sessions.

Affected Products

  • Haxx curl (command-line tool and libcurl integration path)
  • Applications invoking curl with --proto-default sftp or --proto-default scp against schemeless URLs
  • Automation and scripting workflows relying on curl for SFTP/SCP transfers

Discovery Timeline

  • 2026-07-03 - CVE-2026-12064 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-12064

Vulnerability Analysis

The vulnerability originates from a state disconnect between curl's tool layer and libcurl runtime. When a user passes a URL without an explicit scheme and specifies --proto-default sftp or --proto-default scp, the tool layer incorrectly infers the URL scheme. That inference path bypasses the code that configures SSH-specific security options, including CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS.

libcurl behaves correctly on its side. It honors CURLOPT_DEFAULT_PROTOCOL, resolves the connection as SFTP or SCP, and proceeds with the transfer. Because the tool layer never wired in the host key pinning or known_hosts verification callbacks, libcurl treats the connection as one where no host verification was requested. The SSH session establishes against any remote host presenting any host key.

Root Cause

The root cause is an inconsistent scheme-resolution path in the curl tool. The security-option initialization logic keys off the parsed URL scheme rather than the effective protocol libcurl will use. When the scheme is inferred from --proto-default instead of the URL string, the SSH security branch is skipped. The cURL CVE-2026-12064 Advisory documents the affected code path.

Attack Vector

An attacker positioned on the network path between the curl client and the intended SFTP/SCP server can present any SSH host key. Because curl does not enforce host key pinning or check known_hosts, the client accepts the attacker's key and completes the handshake. The attacker then reads or modifies file transfers, harvests credentials passed after authentication, or serves malicious content in place of expected files. Exploitation requires no authentication and no user interaction beyond invoking curl with the vulnerable option combination. Refer to the HackerOne Report #3797526 for reported technical detail.

Detection Methods for CVE-2026-12064

Indicators of Compromise

  • curl command invocations combining --proto-default sftp or --proto-default scp with a URL that lacks an explicit sftp:// or scp:// scheme.
  • SFTP or SCP sessions completing successfully against hosts not listed in the expected known_hosts file.
  • Unexpected changes to known_hosts entries or missing host key verification errors in logs where they were previously present.

Detection Strategies

  • Audit shell histories, cron jobs, CI/CD pipelines, and deployment scripts for curl invocations using --proto-default with schemeless URLs.
  • Inspect network flows for SFTP/SCP traffic originating from hosts running vulnerable curl versions to destinations outside the approved server inventory.
  • Correlate curl process execution telemetry with outbound TCP/22 connections that lack a corresponding host key verification event.

Monitoring Recommendations

  • Log full curl command lines through endpoint process auditing and alert on the --proto-default sftp and --proto-default scp flags.
  • Monitor outbound SSH connections from application servers and build agents, comparing destinations against an allowlist.
  • Track curl package versions across the fleet and flag hosts not running a fixed release once the vendor publishes one.

How to Mitigate CVE-2026-12064

Immediate Actions Required

  • Update curl to the fixed release identified in the cURL CVE-2026-12064 Advisory as soon as it is available in your distribution.
  • Rewrite curl invocations to use explicit sftp:// or scp:// URL schemes and remove reliance on --proto-default for SSH-based transfers.
  • Rotate any credentials or SSH keys that may have been exposed through curl SFTP/SCP sessions initiated with the vulnerable option combination.

Patch Information

Haxx has published details of the issue in the cURL CVE-2026-12064 Advisory and machine-readable cURL CVE-2026-12064 JSON. Apply the fixed curl release referenced in the advisory across all systems that ship or bundle curl, including container base images and language runtime distributions.

Workarounds

  • Always specify the protocol scheme directly in the URL (for example, sftp://user@host/path) instead of relying on --proto-default sftp or --proto-default scp.
  • When scripting against libcurl, set CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 or CURLOPT_SSH_KNOWNHOSTS explicitly and verify they are honored before initiating transfers.
  • Restrict outbound SSH connectivity from build agents and servers to a defined allowlist so that misdirected sessions cannot reach attacker-controlled hosts.
bash
# Configuration example: prefer explicit schemes and enforce known_hosts
curl sftp://user@sftp.example.com/path/to/file \
  --hostpubsha256 <expected-base64-sha256> \
  -o localfile

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.