CVE-2026-8924 Overview
CVE-2026-8924 is a flaw in the cookie parsing logic of curl, the widely deployed command-line tool and library for transferring data over HTTP and other protocols. A malicious HTTP server can set so-called super cookies that bypass the Public Suffix List (PSL) check. Once accepted, curl scopes these attacker-controlled cookies to unrelated third-party domains and transmits them on subsequent requests. The result is cross-domain cookie injection that undermines the origin isolation model cookies depend on for authentication, session tracking, and CSRF defenses.
Critical Impact
An attacker-controlled origin can inject cookies that curl sends to unrelated third-party domains, breaking cookie-based trust boundaries and enabling session fixation, request forgery, and impersonation attacks against downstream services.
Affected Products
- Haxx curl (command-line utility)
- libcurl (client library used by countless applications)
- Any software or automation pipeline embedding vulnerable curl versions
Discovery Timeline
- 2026-07-03 - CVE-2026-8924 published to the National Vulnerability Database
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-8924
Vulnerability Analysis
The vulnerability resides in how curl validates cookie domain attributes against the Public Suffix List. The PSL check exists to prevent servers from setting cookies scoped to broad top-level suffixes such as .co.uk or .com, which would allow a single origin to influence unrelated sites sharing that suffix. A flaw in the parsing logic lets a malicious HTTP server craft Set-Cookie headers that evade this check. curl accepts the resulting cookie and stores it with an over-broad domain scope. On later requests to unrelated hosts falling under that scope, curl attaches the injected cookie, delivering attacker-controlled state to third-party origins.
Root Cause
The root cause is improper input validation in cookie domain handling [NVD-CWE-noinfo]. The parser fails to normalize or reject specific cookie domain values that should be treated as public suffixes. This gap allows super cookies to be persisted with a scope that no legitimate origin should possess.
Attack Vector
Exploitation requires only that a curl client contact an attacker-controlled HTTP server. No authentication, user interaction, or elevated privilege is needed. The server responds with a specifically crafted Set-Cookie header. curl then transmits the injected cookie to any host matching the over-broad scope, including services the victim client interacts with automatically. This is particularly relevant for build systems, CI/CD pipelines, package managers, and API clients that reuse a shared cookie jar across hosts.
No verified public proof-of-concept code is available at the time of publication. See the cURL CVE-2026-8924 Documentation and the HackerOne Report #3733905 for authoritative technical details.
Detection Methods for CVE-2026-8924
Indicators of Compromise
- Cookies present in curl cookie jars (cookies.txt, -c/-b output) with domain attributes matching public suffixes such as .com, .co.uk, or .org.
- Outbound HTTP requests from automation hosts carrying identical Cookie headers to unrelated third-party domains.
- Set-Cookie response headers from untrusted origins containing malformed or unusual domain attributes.
Detection Strategies
- Inventory all systems running curl or applications linked against libcurl and compare versions against the fixed release listed in the vendor advisory.
- Inspect stored cookie jars used by CI runners, scrapers, and API clients for entries with abnormally broad domain scopes.
- Add web proxy or egress inspection rules that flag Set-Cookie headers whose domain attribute resolves to a Public Suffix List entry.
Monitoring Recommendations
- Log and review curl invocations that use persistent cookie jars (--cookie-jar) in shared automation environments.
- Monitor outbound traffic from build agents for cookie reuse across unrelated hostnames.
- Alert on curl version fingerprints in User-Agent strings that indicate unpatched builds still in production use.
How to Mitigate CVE-2026-8924
Immediate Actions Required
- Upgrade curl and libcurl to the fixed version identified in the cURL CVE-2026-8924 Documentation.
- Rebuild and redeploy any statically linked applications or container images that bundle libcurl.
- Purge existing cookie jars used by automation, scrapers, and CI pipelines to eliminate any injected super cookies.
Patch Information
The curl project has published an advisory at curl.se/docs/CVE-2026-8924.html with the fixed release information and machine-readable metadata available in the CVE JSON details. Distribution maintainers typically ship backported patches; consult vendor package repositories for the curl update corresponding to your operating system.
Workarounds
- Avoid using persistent cookie jars (-b/-c) with untrusted HTTP servers until the patch is applied.
- Run curl with --cookie "" or without cookie storage flags in workflows that touch untrusted origins.
- Isolate automation that must communicate with untrusted endpoints so their cookie state cannot leak to production services.
# Verify installed curl version and upgrade on Debian/Ubuntu
curl --version
sudo apt-get update && sudo apt-get install --only-upgrade curl libcurl4
# Verify installed curl version and upgrade on RHEL/Rocky/Alma
curl --version
sudo dnf upgrade curl libcurl
# Purge any existing cookie jars used by automation
find / -name 'cookies.txt' -type f -print -delete 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

