CVE-2026-6429: Haxx Curl Information Disclosure Flaw

CVE-2026-6429 Overview

CVE-2026-6429 is an information disclosure vulnerability in libcurl, the widely deployed client-side URL transfer library maintained by the curl project. When an application instructs libcurl to read credentials from a .netrc file and to follow HTTP redirects, libcurl can transmit the password configured for the original host to the redirect target host under certain conditions. The flaw effectively breaks the host-scoping guarantee that .netrc is designed to enforce.

Critical Impact

Credentials intended for one host may be leaked to an attacker-controlled redirect destination, exposing authentication secrets used in automated scripts, CI/CD pipelines, and command-line tooling.

Affected Products

• Haxx curl (libcurl) — versions listed in the vendor advisory
• Applications and scripts that combine .netrc credential loading with redirect-following (CURLOPT_FOLLOWLOCATION / -L)
• Downstream OS packages and language bindings that ship libcurl

Discovery Timeline

• 2026-05-13 - CVE-2026-6429 published to NVD
• 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-6429

Vulnerability Analysis

The vulnerability lives in libcurl's redirect-handling path when combined with .netrc credential parsing. The .netrc file maps a username and password to a specific machine entry. When libcurl follows a redirect to a different host, it is expected to re-evaluate .netrc for that new host and avoid carrying credentials from the original host. Under specific circumstances described in the curl project advisory, libcurl fails to strip or re-scope the password, sending the original host's password in the Authorization header to the redirect target.

This is an information disclosure issue [CWE-200-class]. The confidentiality impact is high because the leaked material is a long-lived secret used for HTTP authentication. There is no integrity or availability impact, and exploitation requires the victim to follow a redirect crafted or controlled by an attacker.

The issue affects command-line invocations such as curl --netrc -L https://victim.example/ and any libcurl-based program that sets both CURLOPT_NETRC and CURLOPT_FOLLOWLOCATION.

Root Cause

The root cause is improper scoping of credentials across host boundaries during redirect processing. libcurl did not consistently clear the password loaded from .netrc before issuing the follow-up request to the new host, allowing host-bound credentials to escape their intended scope.

Attack Vector

An attacker who controls or compromises a server that the victim contacts, or who can influence a URL the victim retrieves, returns an HTTP redirect (3xx) pointing to an attacker-controlled host. When the victim's libcurl client follows that redirect with .netrc enabled, the password for the original host is sent to the attacker. The attack vector is network-based and requires no user interaction beyond running the original request.

No verified public exploit code is available. Refer to the cURL CVE-2026-6429 Documentation for the precise conditions and affected versions.

Detection Methods for CVE-2026-6429

Indicators of Compromise

• Outbound HTTP requests from automation hosts containing Authorization: Basic headers directed at unexpected external domains.
• Web server or proxy logs showing 3xx redirects from trusted endpoints to unrelated third-party hosts followed by authenticated requests.
• .netrc-using scripts (CI runners, backup jobs, package mirrors) contacting hosts not listed in their .netrc machine entries.

Detection Strategies

• Inventory hosts and pipelines using libcurl or the curl binary with both --netrc (or CURLOPT_NETRC) and -L / CURLOPT_FOLLOWLOCATION enabled.
• Inspect egress proxy logs for cross-domain redirect chains terminating in authenticated requests to non-corporate destinations.
• Audit installed libcurl versions across Linux, macOS, and Windows fleets against the fixed version listed in the vendor advisory.

Monitoring Recommendations

• Alert on TLS or HTTP egress to new external domains originating from build agents, schedulers, and service accounts that use .netrc.
• Monitor process telemetry for curl invocations that combine --netrc, --netrc-file, or --netrc-optional with -L or --location.
• Centralize libcurl version inventory and flag hosts running pre-fix releases identified in the curl project advisory.

How to Mitigate CVE-2026-6429

Immediate Actions Required

• Upgrade libcurl and the curl command-line tool to the fixed version published in the cURL CVE-2026-6429 Documentation.
• Rotate any credentials stored in .netrc files that may have been transmitted through redirect-following clients to untrusted hosts.
• Review automation, CI/CD jobs, and scripts that combine .netrc with redirect following and pause those that contact untrusted endpoints until patched.

Patch Information

The curl project has published a fix and version guidance in its advisory. Apply distribution updates from your OS vendor, or rebuild applications against a patched libcurl release. See the cURL CVE-2026-6429 Documentation and the HackerOne Report #3677759 for the authoritative fix details.

Workarounds

• Disable redirect following when .netrc is in use by omitting -L / CURLOPT_FOLLOWLOCATION, or validate the final URL before reissuing the authenticated request.
• Replace .netrc with per-request credentials passed via CURLOPT_USERPWD only after the final host is known.
• Restrict .netrc entries to the minimum required hosts, and avoid storing high-value credentials in .netrc on systems performing redirect-following requests.

# Configuration example: avoid combining --netrc with redirect following
# Vulnerable pattern (do not use until patched):
#   curl --netrc -L https://example.test/resource

# Safer pattern: resolve redirects without credentials, then authenticate to the final host
final_url=$(curl -s -o /dev/null -w '%{url_effective}' -L https://example.test/resource)
case "$final_url" in
  https://example.test/*) curl --netrc "$final_url" ;;
  *) echo "Refusing to send credentials to $final_url" >&2; exit 1 ;;
esac