CVE-2026-3783 Overview
CVE-2026-3783 is an information disclosure vulnerability in Haxx cURL that allows OAuth2 bearer tokens to be leaked to unintended hosts during HTTP(S) redirects. When a transfer using an OAuth2 bearer token is redirected to a second URL, cURL may inadvertently pass the authentication token to the secondary hostname if that host has an entry in the .netrc file with either the machine or default keywords.
This vulnerability represents a significant credential leakage risk, particularly in environments where cURL is used for automated API interactions with OAuth2-protected services. An attacker who controls or compromises a redirect target could capture sensitive authentication tokens intended for the original host.
Critical Impact
OAuth2 bearer tokens can be leaked to malicious or unintended third-party hosts during HTTP redirects, potentially allowing unauthorized access to protected resources.
Affected Products
- Haxx cURL (all versions with OAuth2 bearer token support)
- Applications and scripts utilizing libcurl for OAuth2-authenticated requests
- Automation tools and CI/CD pipelines using cURL with bearer token authentication
Discovery Timeline
- 2026-03-11 - CVE-2026-3783 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-3783
Vulnerability Analysis
This vulnerability (CWE-522: Insufficiently Protected Credentials) occurs in cURL's credential handling logic during HTTP redirect processing. The flaw manifests when a user configures an OAuth2 bearer token for an initial HTTP(S) request, and that request receives a redirect response (HTTP 301, 302, 307, or 308) pointing to a different hostname.
Under normal circumstances, cURL should not forward authentication credentials to redirect targets unless explicitly configured. However, when the redirect destination has any entry in the user's .netrc file—either a specific machine directive or a default entry—cURL incorrectly determines that the bearer token should also be sent to the new host.
This creates a dangerous situation where sensitive OAuth2 tokens are transmitted to hosts that should not receive them, potentially exposing the credentials to malicious actors or unintended third parties.
Root Cause
The root cause lies in cURL's credential management logic, specifically in how it evaluates whether to include authentication credentials after following an HTTP redirect. The code path that checks .netrc file entries fails to distinguish between credentials stored in .netrc (which are intended for that specific host) and OAuth2 bearer tokens that were explicitly set for the original request URL only.
When cURL encounters a redirect and finds the destination host in .netrc, it incorrectly treats this as authorization to include all active credentials, including the OAuth2 bearer token from the original request.
Attack Vector
This vulnerability can be exploited via network-based attacks with the following conditions:
- The victim uses cURL with an OAuth2 bearer token for API authentication
- The victim's .netrc file contains entries for hosts that could be redirect targets
- An attacker can influence redirects (via compromised servers, DNS manipulation, or malicious content)
The attack requires no authentication or user interaction, making it exploitable in automated environments. An attacker could set up a malicious server, manipulate DNS, or compromise an intermediate service to redirect OAuth2-authenticated requests to their controlled endpoint, capturing the bearer token in the process.
Detection Methods for CVE-2026-3783
Indicators of Compromise
- Unexpected outbound HTTP requests containing Authorization: Bearer headers to unfamiliar hosts
- OAuth2 tokens appearing in access logs of unrelated services
- Authentication failures or token invalidations following legitimate API calls
- Network traffic analysis showing bearer tokens transmitted to non-API endpoints
Detection Strategies
- Monitor outbound HTTP headers for Authorization: Bearer tokens sent to unexpected destinations
- Implement network-level inspection for OAuth2 token patterns in traffic to non-whitelisted hosts
- Audit .netrc files on systems running automated cURL scripts to identify potential exposure paths
- Review cURL command invocations and libcurl configurations for OAuth2 bearer token usage combined with redirect following
Monitoring Recommendations
- Deploy egress filtering to detect and alert on OAuth2 bearer token transmission patterns
- Implement logging for all cURL/libcurl HTTP redirects in production environments
- Monitor OAuth2 token usage patterns for anomalies indicating potential token theft
- Track authentication events from OAuth2 providers for tokens used from unexpected IP addresses
How to Mitigate CVE-2026-3783
Immediate Actions Required
- Update cURL to the latest patched version as soon as vendor patches are available
- Review all automation scripts and applications that use cURL with OAuth2 bearer tokens
- Audit .netrc files and remove unnecessary machine or default entries
- Consider disabling automatic redirect following (--max-redirs 0) for sensitive OAuth2-authenticated requests
Patch Information
The cURL project has released security advisories for this vulnerability. Consult the cURL CVE-2026-3783 Advisory for official patch information and version guidance. Additional technical details are available in the HackerOne Report #3583983.
Organizations should prioritize updating cURL installations, particularly in environments where OAuth2 authentication is used for API communications or automated workflows.
Workarounds
- Disable redirect following for OAuth2-authenticated requests using --max-redirs 0 or CURLOPT_MAXREDIRS set to 0
- Remove or minimize entries in .netrc files, especially default entries
- Use application-level redirect handling instead of cURL's automatic redirect following for sensitive requests
- Implement strict host validation before including bearer tokens in requests
# Configuration example
# Disable automatic redirect following for OAuth2 requests
curl --max-redirs 0 \
--oauth2-bearer "YOUR_TOKEN" \
https://api.example.com/resource
# Alternative: Use libcurl option in code
# curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 0L);
# Audit .netrc for potentially dangerous entries
grep -E "^(machine|default)" ~/.netrc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
