CVE-2026-6276: Haxx Curl Information Disclosure Flaw

CVE-2026-6276 Overview

CVE-2026-6276 is a high-severity information disclosure vulnerability in libcurl, the widely deployed client-side URL transfer library maintained by the curl project. The flaw involves cookie leakage across HTTP requests that reuse the same easy handle. When an application sets a custom Host: header for an initial request and then issues a subsequent request on the same easy handle without that custom header, libcurl reuses stale host context. The second request transmits cookies scoped to the original host to an unintended destination. This breaks the cookie origin boundary and can expose authentication tokens, session identifiers, and other sensitive cookie values. The issue is tracked under [CWE-319] Cleartext Transmission of Sensitive Information.

Critical Impact

Applications reusing libcurl easy handles across hosts can leak session cookies, enabling account takeover and unauthorized access to authenticated APIs.

Affected Products

• Haxx curl (libcurl)
• Applications and language bindings that link against vulnerable libcurl versions
• Automation tools, package managers, and SDKs embedding libcurl for HTTP transport

Discovery Timeline

• 2026-05-13 - CVE-2026-6276 published to the National Vulnerability Database (NVD)
• 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-6276

Vulnerability Analysis

The vulnerability stems from improper state handling in libcurl's easy handle reuse logic. An easy handle is a reusable transfer context that carries options, headers, and cookie state across multiple HTTP operations. When an application calls curl_easy_setopt with CURLOPT_HTTPHEADER to set a custom Host: header, libcurl uses that value to determine the target host for cookie matching and request routing.

On the next transfer with the same handle, if the application clears or omits the custom Host: header, libcurl fails to fully reset the associated host context. The library carries forward stale host information from the prior request. As a result, cookies stored for the first host are attached to a request destined for a different host. The library then transmits those cookies in cleartext within the HTTP request, exposing them to the second host's operator and any on-path observer.

The vulnerability impacts confidentiality and integrity of session data without requiring authentication or user interaction. The attack surface is reachable over the network whenever an attacker controls or observes the second host in a multi-request workflow.

Root Cause

The root cause is incomplete cleanup of host-derived state between successive transfers on a shared easy handle. libcurl treats the absence of a custom Host: header on the second call as "no change required" rather than triggering a fresh derivation of host context from the new URL.

Attack Vector

An attacker exploits the flaw by controlling the destination of the second request, or by inducing an application to issue a follow-up request to an attacker-influenced URL after a prior request used a custom Host: header. Cookies belonging to the first origin are sent to the second origin in the request headers. The attacker collects them server-side and replays them against the legitimate first host.

No verified public proof-of-concept code is available. Refer to the curl.se advisory for CVE-2026-6276 and the HackerOne Report #3671818 for technical details from the maintainers.

Detection Methods for CVE-2026-6276

Indicators of Compromise

• Outbound HTTP requests carrying Cookie: headers whose domain attributes do not match the request URL host
• Repeated cross-host cookie reuse patterns originating from a single client process or service identifier
• Unexpected authenticated sessions on the first host originating from IP addresses associated with the second host operator

Detection Strategies

• Inspect outbound HTTP traffic at egress proxies for mismatches between the destination host and the cookie scope in transmitted Cookie: headers
• Audit applications that link libcurl for code paths that call curl_easy_setopt with custom Host: headers followed by transfers to a different URL on the same handle
• Correlate web server access logs across services to identify session tokens appearing on hosts they were not issued for

Monitoring Recommendations

• Enable verbose logging on libcurl-based clients during testing using CURLOPT_VERBOSE to confirm header and cookie behavior between transfers
• Monitor package inventory for installed libcurl versions and flag systems running releases listed in the vendor advisory
• Alert on anomalous cookie reuse patterns in web application firewall and reverse proxy logs

How to Mitigate CVE-2026-6276

Immediate Actions Required

• Upgrade libcurl to the fixed release identified in the curl.se security advisory
• Audit application code that reuses easy handles across hosts and add explicit handle resets between unrelated transfers
• Rotate session cookies and authentication tokens that may have transited cross-host through vulnerable clients

Patch Information

The curl project published the official fix and affected version ranges in the curl.se CVE-2026-6276 advisory. Rebuild and redistribute applications that statically link libcurl. Update OS packages providing the shared libcurl library and restart dependent services to load the patched binary.

Workarounds

• Call curl_easy_reset on the easy handle between transfers that target different hosts to clear residual state
• Allocate a new easy handle per target host rather than reusing a single handle across origins
• Avoid mixing custom Host: header usage with subsequent transfers on the same handle until patched libcurl is deployed

# Verify installed libcurl version on Linux hosts
curl --version
ldconfig -p | grep libcurl
dpkg -l | grep -E 'libcurl|curl'   # Debian/Ubuntu
rpm -qa | grep -E 'libcurl|curl'   # RHEL/Fedora