CVE-2026-9079 Overview
CVE-2026-9079 is a credential handling flaw in libcurl affecting the haxx:curl component. When an application instructs libcurl to clear previously configured proxy authentication credentials, the library fails to remove them. The stale credentials remain in memory and are reused on subsequent transfers that were never intended to know or use them.
The vulnerability is classified under CWE-522: Insufficiently Protected Credentials. It exposes proxy authentication material to unintended remote endpoints. The issue is tracked as network-exploitable with no privileges or user interaction required.
Critical Impact
Proxy credentials that an application explicitly requested to clear can be transmitted to unintended servers, exposing authentication material and enabling credential theft.
Affected Products
- Haxx curl (libcurl) — versions covered by the vendor advisory
- Applications and services embedding vulnerable libcurl builds
- Command-line curl binaries linked against the affected libcurl
Discovery Timeline
- 2026-07-03 - CVE-2026-9079 published to the National Vulnerability Database (NVD)
- 2026-07-07 - Last updated in NVD database
Technical Details for CVE-2026-9079
Vulnerability Analysis
libcurl exposes options that allow applications to configure proxy authentication credentials via CURLOPT_PROXYUSERPWD and related settings. Applications reuse a CURL easy handle across multiple transfers and are expected to reset credentials between requests. The vulnerable code path fails to honor the clear operation, retaining the prior username and password in the handle state.
Subsequent transfers reuse the handle for connections that should carry no proxy authentication. libcurl attaches the stale credentials to outbound requests, transmitting them to proxies or endpoints that were never authorized to receive them. The flaw affects the confidentiality of authentication data used across reused handles.
This is a credential exposure defect rather than a memory corruption issue. It maps to [CWE-522] because sensitive authentication material is not properly invalidated between operations. Reference details are published in the curl.se CVE-2026-9079 advisory and the associated HackerOne Report #3750295.
Root Cause
The root cause is incomplete state reset logic when the API is asked to clear proxy credentials on an existing handle. The internal credential fields retain their previous values instead of being zeroed or freed. libcurl treats the fields as still-configured and reapplies them on the next transfer.
Attack Vector
The attack vector is network-based. An attacker who controls or observes a proxy or endpoint targeted by a subsequent transfer receives credentials the calling application intended to keep private. Exploitation depends on application behavior that reuses handles across trust boundaries — a common pattern in HTTP clients, package managers, and automation tooling that embed libcurl.
No verified public exploit code is available. The vulnerability is described in prose in the vendor advisory linked above; refer to it for the affected code paths and fixed versions.
Detection Methods for CVE-2026-9079
Indicators of Compromise
- Outbound HTTP requests containing Proxy-Authorization headers directed at proxies that should not receive them
- Application logs showing proxy authentication attempts against endpoints configured without proxy credentials
- Repeated authentication events from a single client to multiple, unrelated proxy hosts within the same session
Detection Strategies
- Inventory systems and applications linked against vulnerable libcurl versions using software composition analysis (SCA) tools
- Inspect TLS-terminated proxy logs for unexpected Proxy-Authorization values originating from applications that should have cleared credentials
- Correlate outbound curl-based traffic with proxy configuration state changes to identify credential reuse across transfers
Monitoring Recommendations
- Enable verbose libcurl tracing (CURLOPT_VERBOSE) in non-production builds to confirm credential clearing behavior
- Monitor egress network flows for unauthorized proxy authentication attempts from application servers
- Track versions of libcurl.so, libcurl.dll, and statically linked builds across the fleet to identify unpatched hosts
How to Mitigate CVE-2026-9079
Immediate Actions Required
- Upgrade libcurl to the fixed version listed in the curl.se CVE-2026-9079 advisory
- Identify third-party software bundling vulnerable libcurl and apply vendor updates as they become available
- Rotate proxy credentials that may have been exposed to unintended endpoints since deployment of the vulnerable version
Patch Information
The curl project has published details and fixed release information in its official advisory. Consult the curl.se CVE-2026-9079 Documentation and the machine-readable curl.se CVE-2026-9079 JSON Data to determine the minimum fixed version for your build. Rebuild statically linked applications against the patched libcurl.
Workarounds
- Create a fresh CURL easy handle for transfers that must not carry prior proxy credentials rather than reusing an existing handle
- Explicitly set proxy credentials to an empty state before each transfer and validate behavior with request tracing
- Segment proxy configurations so that handles which have held credentials are never reused for transfers to different trust domains
# Verify installed libcurl version and compare against the fixed release
curl --version
ldd $(which curl) | grep libcurl
# On Debian/Ubuntu
apt-get update && apt-get install --only-upgrade curl libcurl4
# On RHEL/Fedora
dnf upgrade curl libcurl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

