CVE-2026-5545 Overview
CVE-2026-5545 is an insufficient session expiration vulnerability [CWE-613] in libcurl. The flaw causes libcurl to reuse the wrong connection from its connection pool after a Negotiate-authenticated HTTP(S) request. When an application performs a follow-up request to the same host with different credentials, libcurl may route it over the previously authenticated connection. The new request then executes under the prior user's authenticated session rather than the credentials supplied for the second operation.
Critical Impact
An application that switches authentication credentials against the same server may inadvertently transmit requests under the wrong identity, leading to unauthorized data access or integrity violations on the target service.
Affected Products
- Haxx curl (libcurl) — versions distributed under cpe:2.3:a:haxx:curl
- Applications linking against vulnerable libcurl builds that use Negotiate authentication
- HTTP(S) clients that rely on libcurl's connection pool for credential-switching workflows
Discovery Timeline
- 2026-05-13 - CVE-2026-5545 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-5545
Vulnerability Analysis
libcurl maintains a pool of recently used connections to avoid the overhead of repeated TCP and TLS handshakes. Subsequent requests evaluate a set of criteria to decide whether an existing connection can be reused. A logical error in the reuse-matching logic fails to fully account for the authentication identity bound to a connection that completed Negotiate authentication.
Negotiate (SPNEGO/Kerberos/NTLM) authenticates the entire connection rather than individual requests. After the handshake, the server treats every subsequent request on that socket as belonging to the original principal. libcurl's pool selection does not invalidate that binding when the next operation specifies a different user:password pair targeting the same host.
Root Cause
The defect is an insufficient session expiration condition in the connection-matching code path. The reuse predicate compares hostname, port, and protocol attributes but does not reject a pooled connection that completed Negotiate authentication under different credentials. The connection remains eligible for reuse while still bound to the prior authenticated principal.
Attack Vector
Exploitation requires a specific application flow rather than direct attacker interaction. An application must first issue a Negotiate-authenticated request with user1:password1, keep the connection alive in the pool, and then issue a second request to the same host with user2:password2 requesting any authentication method. The second request is silently delivered over the still-authenticated user1 connection. The server processes operations under user1's identity while the application believes it acted as user2, producing integrity loss and potential disclosure of user1-scoped data to the user2 workflow.
// No verified proof-of-concept code is published.
// See the cURL advisory for technical details:
// https://curl.se/docs/CVE-2026-5545.html
Detection Methods for CVE-2026-5545
Indicators of Compromise
- Server-side audit logs showing actions attributed to a Kerberos or Negotiate principal that does not match the credentials the calling application intended to use.
- Application logs indicating credential switches against the same host without an intervening connection close or CURLOPT_FRESH_CONNECT directive.
- Mismatches between client-side request metadata and server-side authenticated-user fields for HTTP(S) traffic originating from libcurl-based tools.
Detection Strategies
- Inventory binaries and packages linking libcurl and identify versions affected by CVE-2026-5545 using software composition analysis.
- Correlate authentication events from Kerberos-protected services against the originating client process to surface identity drift on long-lived connections.
- Inspect HTTP(S) proxies for repeated requests on a single keep-alive connection that span different application-layer user contexts.
Monitoring Recommendations
- Alert on services that accept Negotiate authentication when a single TCP session services requests intended for multiple distinct principals.
- Monitor outbound HTTPS connections from libcurl-based applications for unexpected reuse durations following authenticated transactions.
- Track package update telemetry to confirm patched libcurl versions are deployed across endpoint and server fleets.
How to Mitigate CVE-2026-5545
Immediate Actions Required
- Upgrade libcurl to the fixed release referenced in the cURL CVE-2026-5545 advisory.
- Audit applications that use Negotiate authentication and switch credentials against the same host within a single libcurl handle's lifetime.
- Rebuild or repackage downstream software that statically links libcurl against the fixed version.
Patch Information
The curl project published advisory details and patch references at the cURL CVE-2026-5545 Documentation and machine-readable metadata at the cURL CVE-2026-5545 JSON Details. The HackerOne disclosure is tracked in HackerOne Report #3642555. Apply the upstream fix or the corresponding distribution package update.
Workarounds
- Set CURLOPT_FRESH_CONNECT to force a new connection when changing credentials against the same host.
- Use a separate CURL easy handle per authenticated identity to prevent pool sharing across credential boundaries.
- Disable connection reuse by setting CURLOPT_FORBID_REUSE for requests that follow a Negotiate-authenticated operation.
# Configuration example — force fresh connection per credential context
curl --no-keepalive \
--user "user2:password2" \
https://target.example.com/resource
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
