[ADVISORY] curl: CVE-2026-3784: wrong proxy connection reuse with credentials

[Daniel Stenberg <daniel () haxx se>]

wrong proxy connection reuse with credentials
=============================================

Project curl Security Advisory, March 11th 2026
[Permalink](https://curl.se/docs/CVE-2026-3784.html)

VULNERABILITY
-------------

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
server, even if the new request uses different credentials for the HTTP proxy.
The proper behavior is to create or use a separate connection.

INFO
----

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2026-3784 to this issue.

CWE-305: Authentication Bypass by Primary Weakness

Severity: Low

AFFECTED VERSIONS
-----------------

- Affected versions: curl 7.7 to and including 8.18.0
- Not affected versions: curl < 7.7 and >= 8.19.0
- Introduced-in: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b

libcurl is used by many applications, but not always advertised as such!

This bug is not considered a *C mistake*. It is not likely to have been
avoided had we not been using C.

This flaw also affects the curl command line tool.

SOLUTION
--------

curl 8.19.0 fixes this flaw

- Fixed-in: https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3

RECOMMENDATIONS
---------------

We suggest you take one of the following actions immediately, in order of
preference:

 A - Upgrade to curl and libcurl 8.19.0

 B - Apply the patch and rebuild libcurl

 C - Avoid using HTTP proxy with alternating credentials

TIMELINE
---------

It was reported to the curl project on March 4th 2026. We contacted
distros@openwall on March 8.

libcurl 8.19.0 was released on March 11th 2026, coordinated with the
publication of this advisory.

CREDITS
-------

- Reported-by: Muhamad Arga Reksapati (HackerOne: nobcoder)
- Patched-by: Stefan Eissing

Thanks a lot!

--

 / daniel.haxx.se || https://rock-solid.curl.dev