CVE-2026-6253 Overview
CVE-2026-6253 is a credential leakage vulnerability in curl, the widely deployed command-line tool and libcurl library used for network transfers. The flaw causes curl to forward credentials configured for one proxy to a second, unrelated proxy under specific redirect conditions. The issue is tracked under CWE-522: Insufficiently Protected Credentials and disclosed through the cURL CVE-2026-6253 Documentation.
Critical Impact
Authenticated proxy credentials can leak to a different proxy server during cross-scheme HTTP redirects, exposing sensitive authentication material to unintended network endpoints.
Affected Products
- Haxx curl (command-line tool)
- libcurl (library binding for applications)
- Applications and scripts using curl with scheme-specific proxy configurations
Discovery Timeline
- 2026-05-13 - CVE-2026-6253 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6253
Vulnerability Analysis
The vulnerability arises when curl is configured to use distinct proxies for different URL schemes. If the initial request routes through a proxy that requires credentials, and the server responds with a redirect to a URL using a different scheme, curl selects the second proxy associated with that scheme. Curl then incorrectly attaches the credentials intended for the first proxy to requests sent through the second proxy.
The second proxy may belong to a different administrative domain or operate without authentication entirely. Once forwarded, the credentials are exposed in Proxy-Authorization headers transmitted to an unintended endpoint. An operator of the second proxy, or any party able to observe traffic to it, can capture the credentials.
The issue is classified under CWE-522, reflecting insufficient protection of authentication material across trust boundaries.
Root Cause
The defect lies in curl's proxy selection and credential propagation logic during redirect handling. The code does not reset or scope the cached proxy credentials when the redirect target triggers selection of a different proxy. Credentials remain attached to the transfer handle and are reused without verifying that the destination proxy is the same one for which they were originally supplied.
Attack Vector
Exploitation requires four conditions to align simultaneously: scheme-specific proxy configuration, credentials on the first proxy, no credentials on the second proxy, and a redirect across schemes. An attacker controlling a target web server can issue a crafted redirect from http:// to https:// (or vice versa) to force curl to switch proxies. If the attacker also controls or observes the second proxy, captured Proxy-Authorization headers yield the first proxy's credentials.
The vulnerability requires no user interaction and is exploitable over the network, though the high attack complexity reflects the narrow set of preconditions. Refer to the HackerOne Report #3669637 for additional technical detail.
Detection Methods for CVE-2026-6253
Indicators of Compromise
- Unexpected Proxy-Authorization headers observed in traffic destined for proxies that do not require authentication.
- curl client logs showing scheme transitions during redirect chains while multiple proxy environment variables are set (HTTP_PROXY, HTTPS_PROXY).
- Authentication attempts logged on proxies for accounts that should not transit through them.
Detection Strategies
- Inspect outbound proxy traffic for Proxy-Authorization headers sent to proxies configured without authentication requirements.
- Audit curl and libcurl usage across automation, CI/CD pipelines, and scripts for combinations of --proxy, --proxy-user, and scheme-specific proxy variables.
- Review proxy access logs for credentialed requests originating immediately after cross-scheme redirects.
Monitoring Recommendations
- Enable verbose curl logging (-v or CURLOPT_VERBOSE) in test environments to validate proxy behavior across redirects.
- Forward proxy server access logs to a centralized analytics platform and alert on anomalous authentication events.
- Track installed curl and libcurl versions across the fleet to identify hosts running vulnerable releases.
How to Mitigate CVE-2026-6253
Immediate Actions Required
- Upgrade curl and libcurl to the fixed version identified in the cURL CVE-2026-6253 Documentation.
- Rotate any proxy credentials that may have been exposed through cross-scheme redirects.
- Audit applications that rely on scheme-specific proxy configurations and disable redirect following where it is not strictly required.
Patch Information
The curl maintainers published the official advisory and remediation details at the cURL CVE-2026-6253 Documentation and structured data at the cURL CVE-2026-6253 JSON Data. Additional context is available on the Openwall OSS-Security Discussion. Apply the upstream patch or upgrade to a distribution package that incorporates the fix.
Workarounds
- Disable redirect following by removing -L / --location or setting CURLOPT_FOLLOWLOCATION to 0 until patches are applied.
- Use a single proxy for all schemes when authentication is required, eliminating the scheme-switch condition.
- Limit CURLOPT_REDIR_PROTOCOLS to restrict cross-scheme redirects.
# Configuration example: disable redirects and constrain protocols
curl --proxy http://user:pass@proxy1.example.com:3128 \
--no-location \
--proto-redir =http,https \
https://target.example.com/resource
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
