CVE-2026-7168 Overview
CVE-2026-7168 is a credential leakage vulnerability in libcurl affecting HTTP proxy Digest authentication. When an application reuses a curl handle to perform a second transfer through a different proxy, libcurl incorrectly forwards the Proxy-Authorization: header generated for the original proxy (proxyA) to the new proxy host (proxyB). This exposes proxy credentials to an unintended endpoint, classified under [CWE-294] Authentication Bypass by Capture-replay.
The issue is network-exploitable and requires no privileges or user interaction, though impact is limited to confidentiality of the proxy credential material.
Critical Impact
Proxy Digest credentials intended for one HTTP proxy can be leaked to a second proxy host when a curl handle is reused, enabling capture and potential replay by the unintended proxy.
Affected Products
- Haxx curl (libcurl library)
- Applications linking against vulnerable libcurl versions that reuse handles across proxies
- Tools and SDKs embedding libcurl for HTTP proxy transfers with Digest authentication
Discovery Timeline
- 2026-05-13 - CVE-2026-7168 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-7168
Vulnerability Analysis
The defect resides in libcurl's handle state management for HTTP proxy authentication. After a successful Digest authentication negotiation with proxyA, libcurl retains the computed Proxy-Authorization: header on the easy handle. When the application changes CURLOPT_PROXY to proxyB and reuses that handle for a subsequent transfer, libcurl emits the cached header value to the new proxy without validating that the proxy host has changed.
The header contains a Digest response hash derived from the user's proxy credentials, the realm advertised by proxyA, and a nonce. Although Digest is not a cleartext credential, the leaked header gives proxyB material useful for offline analysis, replay attacks against proxyA, or correlation of user activity across infrastructure.
Root Cause
The root cause is improper invalidation of cached authentication state when the proxy target changes between transfers on a reused handle. libcurl treats the previously computed Proxy-Authorization data as still valid rather than recomputing or clearing it when the proxy host differs from the one that issued the original challenge.
Attack Vector
An attacker who controls or observes proxyB, or who can influence an application to redirect proxy traffic to an attacker-controlled host, can capture the leaked Proxy-Authorization: header. The vulnerability is reachable over the network with low attack complexity, requires no authentication to the target, and needs no user interaction.
Exploitation requires the victim application to legitimately authenticate to a first proxy with Digest, then reuse the same curl handle for a transfer to a second proxy. See the cURL CVE-2026-7168 Documentation for the upstream technical writeup.
Detection Methods for CVE-2026-7168
Indicators of Compromise
- Unexpected Proxy-Authorization: headers arriving at proxies that never issued a 407 Digest challenge to the client.
- Proxy access logs showing Digest authentication attempts from clients whose credentials belong to a different upstream proxy realm.
- Curl-based applications configured with handle reuse across multiple CURLOPT_PROXY values in a single session.
Detection Strategies
- Inspect HTTP proxy logs for Proxy-Authorization Digest values referencing a realm that does not match the receiving proxy.
- Audit applications and scripts for code paths that mutate proxy settings on a reused curl easy handle without calling curl_easy_reset or clearing authentication options.
- Use network telemetry to correlate outbound proxy connections from the same client to multiple distinct proxy hosts within short time windows.
Monitoring Recommendations
- Capture and review proxy authentication failures and realm mismatches in SIEM pipelines.
- Track libcurl versions deployed across the estate via software inventory and flag versions prior to the upstream fix referenced in the cURL advisory.
- Alert on egress traffic from internal applications to proxy endpoints not present in approved proxy allowlists.
How to Mitigate CVE-2026-7168
Immediate Actions Required
- Upgrade libcurl to the fixed version published by the curl project as referenced in the vendor advisory.
- Rotate any proxy Digest credentials that may have been transmitted to untrusted secondary proxies.
- Audit applications that switch proxy targets on reused curl handles and refactor to use fresh handles per proxy.
Patch Information
The curl project has released a patched version addressing the improper retention of Proxy-Authorization: across proxy changes. Refer to the cURL CVE-2026-7168 Documentation and JSON metadata for affected version ranges and the corresponding fixed release. Distribution-level backports are tracked via the Openwall OSS Security discussion.
Workarounds
- Allocate a new curl easy handle for each proxy rather than reusing a single handle across different proxy hosts.
- Call curl_easy_reset on the handle before changing CURLOPT_PROXY, and clear CURLOPT_PROXYUSERPWD and related authentication options.
- Avoid mixing Digest-authenticated proxy transfers with subsequent transfers through proxies that are not fully trusted.
# Configuration example: verify installed libcurl version against the fixed release
curl --version
# Inspect application code for reused handles
grep -RnE 'curl_easy_setopt\(.*CURLOPT_PROXY' ./src
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
