Skip to main content
CVE Vulnerability Database

CVE-2026-8458: Haxx Curl Auth Bypass Vulnerability

CVE-2026-8458 is an authentication bypass flaw in Haxx Curl's libcurl where connection reuse logic incorrectly shares Negotiate-authenticated connections across different services. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-8458 Overview

CVE-2026-8458 is a connection reuse vulnerability in libcurl affecting requests authenticated with the Negotiate scheme. A logical error in the connection pool matching code allows libcurl to reuse a cached connection to the same server even when the application requested a different service for authentication. This mismatch can cause a client to send credentials or receive data over a connection authenticated to an unintended service context. The flaw impacts applications relying on libcurl to enforce service separation for GSS-API and SPNEGO-based Negotiate authentication.

Critical Impact

Applications using libcurl with Negotiate authentication may reuse connections authenticated against the wrong service, undermining integrity guarantees between distinct authenticated sessions to the same host.

Affected Products

  • Haxx curl (libcurl) — see vendor advisory for affected version ranges
  • Applications and language bindings that link against affected libcurl builds
  • Systems using libcurl with Negotiate/GSS-API authentication across multiple services

Discovery Timeline

  • 2026-07-03 - CVE-2026-8458 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-8458

Vulnerability Analysis

libcurl maintains a connection pool so that subsequent HTTP requests can reuse an already established TCP/TLS connection and avoid handshake overhead. Before selecting a pooled connection, libcurl evaluates a set of matching criteria including host, port, protocol, and credentials. Due to a logical error, the matching logic for Negotiate-authenticated connections does not correctly account for the requested service parameter. A request configured to authenticate against one service can therefore bind to a pooled connection previously authenticated against a different service on the same server. This weakens the integrity boundary the application expected between service contexts and may cause requests to execute under the wrong authenticated identity. The issue is scoped to libcurl's internal connection selection and does not require an attacker on the network path.

Root Cause

The connection reuse check omits the Negotiate service name from the equality comparison. As a result, two connections that differ only by their configured Negotiate service are treated as interchangeable by the pool.

Attack Vector

Exploitation requires a local application context where libcurl issues multiple Negotiate-authenticated requests to the same server using different service names. An attacker with the ability to influence request parameters, or a co-tenant application sharing a libcurl handle, can cause requests to be dispatched over the wrong authenticated connection. The CVSS vector indicates a network attack surface with low privileges required and a high integrity impact, with no direct confidentiality or availability impact.

No public proof-of-concept exploit code is available. Refer to the cURL CVE-2026-8458 Advisory and HackerOne Report #3721183 for technical detail.

Detection Methods for CVE-2026-8458

Indicators of Compromise

  • Server-side authentication logs showing requests arriving under a Negotiate service context that differs from what the client application intended to use.
  • Application logs recording unexpected authorization decisions when libcurl reuses connections across multiple Negotiate service targets.
  • Presence of libcurl versions listed as vulnerable in the cURL CVE-2026-8458 Advisory.

Detection Strategies

  • Inventory installed libcurl versions across endpoints, servers, and container images and compare against the fixed version listed in the vendor advisory.
  • Instrument applications that use libcurl's Negotiate authentication to log the intended CURLOPT_SERVICE_NAME alongside the connection identifier for each request.
  • Correlate client-side request intent with server-side Kerberos/SPNEGO service principal names to identify mismatches.

Monitoring Recommendations

  • Monitor Kerberos ticket usage and SPN targeting patterns for anomalies indicating cross-service reuse from a single client.
  • Track libcurl package versions with software composition analysis and alert on downgrade or unpatched deployments.
  • Review authentication server logs for requests that authenticate against unexpected service principals from known libcurl-based clients.

How to Mitigate CVE-2026-8458

Immediate Actions Required

  • Upgrade libcurl to the fixed version identified in the cURL CVE-2026-8458 Advisory.
  • Rebuild and redistribute applications and container images that statically link libcurl.
  • Audit code paths that switch Negotiate service names on a shared curl handle and consider using separate handles per service until patched.

Patch Information

The curl project has published patch guidance and affected version ranges in the cURL CVE-2026-8458 Advisory and machine-readable cURL CVE-2026-8458 JSON Details. Distributions that package libcurl should backport the upstream fix; verify installed package versions after applying vendor updates.

Workarounds

  • Disable connection reuse for Negotiate requests by setting CURLOPT_FORBID_REUSE on affected transfers until libcurl is patched.
  • Use separate CURL easy handles or dedicated connection pools for each distinct Negotiate service target.
  • Avoid switching CURLOPT_SERVICE_NAME on a handle that has previously authenticated against a different service to the same host.
bash
# Verify installed libcurl version against the vendor advisory
curl --version
dpkg -l | grep -Ei 'libcurl|curl'
rpm -qa | grep -Ei 'libcurl|curl'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.