CVE-2026-4873 Overview
CVE-2026-4873 is a vulnerability in the cURL library where a connection requiring Transport Layer Security (TLS) incorrectly reuses an existing unencrypted connection from the same connection pool. When an initial transfer occurs in clear-text via Internet Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), or Post Office Protocol 3 (POP3), a subsequent request to the same host bypasses the TLS requirement. The follow-up request transmits data unencrypted over the existing socket. The flaw maps to CWE-295 (Improper Certificate Validation) and CWE-319 (Cleartext Transmission of Sensitive Information).
Critical Impact
Credentials and message contents intended for TLS-protected mail protocol sessions can transit the network in cleartext, exposing them to network-positioned attackers.
Affected Products
- Haxx cURL (command-line tool)
- libcurl (client-side URL transfer library)
- Applications and runtimes that embed libcurl for IMAP, SMTP, or POP3 transfers
Discovery Timeline
- 2026-04-29 - Vulnerability discussed on the OpenWall oss-security list
- 2026-05-13 - CVE-2026-4873 published to the National Vulnerability Database (NVD)
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-4873
Vulnerability Analysis
The defect lives in libcurl's connection pool reuse logic for mail protocols. cURL maintains a pool of established connections to avoid the cost of reopening sockets and renegotiating sessions. When a new transfer requests the same host, libcurl searches the pool for a compatible connection. The matching logic fails to treat the TLS requirement as a strict differentiator for IMAP, SMTP, and POP3.
As a result, a transfer initiated with imaps://, smtps://, pop3s://, or one requesting STARTTLS upgrade can be bound to a previously opened cleartext socket. The library skips the TLS handshake because it considers the connection already established. Authentication credentials, message bodies, and protocol commands then traverse the network without encryption. This breaks the security contract implied by the URL scheme or the explicit TLS option supplied by the calling application.
Root Cause
The connection matching code does not enforce that pooled connections used for a TLS-required transfer must themselves be TLS-protected. The pool key omits the TLS state for IMAP, SMTP, and POP3, allowing a non-TLS socket to satisfy a TLS-required lookup.
Attack Vector
Exploitation requires an attacker positioned to observe network traffic between the cURL-based client and the targeted mail server. The attacker also needs the client to perform an initial cleartext transfer to the same host before issuing the TLS-required transfer in the same process. Given the high attack complexity reflected in the vector string, the conditions are non-trivial but realistic in multi-tenant or proxy-mediated environments.
No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the cURL CVE-2026-4873 Documentation and HackerOne Report #3621851 for protocol-level details.
Detection Methods for CVE-2026-4873
Indicators of Compromise
- Outbound IMAP (TCP/143), SMTP (TCP/25, 587), or POP3 (TCP/110) sessions carrying authentication commands such as LOGIN, AUTH PLAIN, or USER/PASS to hosts that should only be reached via TLS
- Mail server access logs showing successful authentications over cleartext ports from hosts that normally use IMAPS (993), SMTPS (465), or POP3S (995)
- Absence of STARTTLS negotiation followed by cleartext AUTH exchanges within the same TCP session
Detection Strategies
- Inspect network telemetry for cleartext credentials destined for hosts that also receive TLS-protected mail traffic from the same source
- Audit applications that link against libcurl and verify the installed version against fixed releases listed in the cURL advisory
- Run software composition analysis across container images and build artifacts to surface vulnerable libcurl versions
Monitoring Recommendations
- Enable protocol-aware logging on mail gateways to flag plaintext AUTH over ports 25, 110, and 143
- Forward DNS, NetFlow, and proxy logs to a centralized analytics platform to correlate cleartext mail sessions with the originating process or container
- Alert on TLS handshake absence when the destination host has previously negotiated TLS with the same source within a defined window
How to Mitigate CVE-2026-4873
Immediate Actions Required
- Upgrade curl and libcurl to the fixed version identified in the cURL CVE-2026-4873 Documentation
- Inventory every application, container, and operating system image that ships libcurl and schedule patching for each
- Rotate any IMAP, SMTP, or POP3 credentials that may have transited cleartext sessions from vulnerable clients
Patch Information
The cURL project published the fix and vendor advisory at curl.se/docs/CVE-2026-4873.html. Machine-readable metadata is available in the cURL CVE-2026-4873 JSON Data. Distributions that package libcurl will release backported updates; apply vendor patches as they become available.
Workarounds
- Disable connection reuse for affected transfers by setting CURLOPT_FORBID_REUSE or invoking the cURL command-line tool with --no-keepalive for IMAP, SMTP, and POP3 sessions
- Avoid mixing cleartext and TLS-required mail transfers to the same host within a single process lifetime
- Enforce TLS at the network layer by blocking outbound cleartext mail ports (25, 110, 143) to external mail servers and requiring submission over 465, 587 with TLS, or 993/995
# Configuration example: force a fresh connection for TLS-required mail transfers
curl --no-keepalive \
--ssl-reqd \
smtp://mail.example.com:587 \
--mail-from sender@example.com \
--mail-rcpt recipient@example.com \
--upload-file message.eml \
--user 'sender@example.com:REDACTED'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
