CVE-2026-8927 Overview
CVE-2026-8927 affects libcurl when applications reuse a single handle for sequential transfers configured through environment-variable proxy settings. The library fails to clear proxy authentication state between requests. A transfer that first authenticates to proxyA using Digest authentication leaks the Proxy-Authorization: header on a subsequent request routed through proxyB. The flaw is classified under CWE-294: Authentication Bypass by Capture-replay. An attacker controlling or observing proxyB can capture credentials intended solely for proxyA and replay them.
Critical Impact
Reuse of a libcurl handle across proxies exposes Digest proxy credentials to unintended intermediaries, enabling credential capture and replay against the legitimate proxy.
Affected Products
- Haxx curl (libcurl) — versions listed in the vendor advisory
- Applications that reuse a libcurl handle across sequential transfers
- Deployments relying on environment-variable proxy configuration (http_proxy, https_proxy)
Discovery Timeline
- 2026-07-03 - CVE-2026-8927 published to NVD
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-8927
Vulnerability Analysis
The defect resides in libcurl handle state management. When an application calls curl_easy_perform() multiple times on the same handle, libcurl retains authentication context from the previous transfer. For proxy authentication driven by http_proxy or https_proxy environment variables, the library does not reset the cached Proxy-Authorization: header when the proxy target changes.
The first transfer negotiates Digest authentication with proxyA and stores the computed credential. On the next transfer, the application updates the proxy URL to proxyB through environment variables, but the previously computed header is emitted verbatim. proxyB receives credentials scoped to proxyA. This is an authentication-by-capture flaw where a passive or active adversary controlling proxyB gains material for replay attacks against proxyA.
Root Cause
The root cause is missing state invalidation. libcurl treats the proxy authentication cache as persistent across transfers on a reused handle, without validating that the destination proxy remains identical. Digest authentication tokens are proxy-specific, so cross-proxy reuse violates the trust boundary enforced by the authentication scheme.
Attack Vector
Exploitation is network-based and requires no privileges or user interaction. An attacker who controls, operates, or intercepts traffic to a secondary proxy — for example through DNS manipulation, PAC file poisoning, or hostile network positioning — receives valid Proxy-Authorization: headers scoped to a different proxy. The captured Digest response can be replayed against the intended proxy within the nonce validity window. Refer to the curl.se CVE-2026-8927 Advisory and HackerOne Report #3744543 for the vendor's technical description.
Detection Methods for CVE-2026-8927
Indicators of Compromise
- Outbound HTTP CONNECT or GET requests carrying Proxy-Authorization: Digest headers to proxies that were never provisioned with credentials for the requesting client.
- Proxy access logs showing successful Digest authentication from clients that should not possess valid credentials for that proxy.
- Repeated identical Proxy-Authorization: values sent to distinct proxy hostnames from the same source within short time windows.
Detection Strategies
- Inspect egress traffic at TLS-terminating gateways for Proxy-Authorization: headers directed at unexpected proxy destinations.
- Correlate DNS resolution events for proxy hostnames with subsequent authenticated proxy sessions to identify redirection attempts.
- Inventory applications linking against libcurl and flag those using CURLOPT_PROXY reconfiguration on reused handles.
Monitoring Recommendations
- Enable verbose proxy logging on all authenticating proxies and alert on Digest responses tied to unfamiliar client identifiers.
- Monitor changes to http_proxy and https_proxy environment variables on production hosts through endpoint telemetry.
- Track installed libcurl versions across the fleet and alert when vulnerable builds appear.
How to Mitigate CVE-2026-8927
Immediate Actions Required
- Upgrade libcurl to the fixed release identified in the curl.se CVE-2026-8927 Advisory.
- Rotate any Digest proxy credentials that may have transited untrusted intermediaries during the exposure window.
- Audit applications that reuse CURL* handles across transfers and identify those relying on environment-variable proxy configuration.
Patch Information
The curl project has published the fix and metadata in the curl.se CVE-2026-8927 JSON Data. Rebuild or repackage dependent applications against the patched libcurl and redeploy across affected systems.
Workarounds
- Call curl_easy_reset() on the handle between transfers to purge cached authentication state.
- Use a fresh curl_easy_init() handle for each transfer that targets a different proxy.
- Explicitly set CURLOPT_PROXY and CURLOPT_PROXYUSERPWD on each request instead of relying on http_proxy and https_proxy environment variables.
- Restrict Digest proxy authentication to trusted network segments where secondary proxies cannot be interposed.
# Configuration example: force per-transfer handle reset in wrapper scripts
export CURL_RESET_BETWEEN_TRANSFERS=1
# Verify installed libcurl version against the vendor advisory
curl --version | head -n 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

