curl: Digest Auth Bypass via Proxy Capture-Replay (CVE-2026-7168) Advisory

Vulnerability Overview Vulnerability ID: CVE-2026-7168 Vulnerability Name: curl: Authentication Bypass by Capture-replay Vulnerability Description: Successfully using libcurl to perform a transfer over a specific HTTP proxy (proxy1) with Digest authentication, then changing the proxy host to a second proxy (proxy2) for a second transfer while reusing the same handle, causes libcurl to incorrectly pass the header field intended for proxy1 to proxy2. Modification Time: 2026-04-29T07:48:41.002Z Database Specific Information: - Package: curl - Impact: lib - URL: https://curl.se/docs/CVE-2026-7168.json - WWW: https://curl.se/docs/CVE-2026-7168.html - Source: https://hackerone.com/reports/3007759 - CWE: CWE-294 - Description: Authentication Bypass by Capture-replay - Severity: Medium Affected Scope Affected Versions: - SEMVER: 7.12.0 - GIT: fcd6ff1b30416cafeef2f2d73a3239e074a04216 - Other Versions: 8.19.0, 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0, 8.7.1, 8.7.0, 8.6.0, 8.5.0, 8.4.0, 8.3.0, 8.2.1, 8.2.0, 8.1.1, 8.1.0, 8.0.1, 8.0.0, 7.88.1, 7.88.0, 7.87.0, 7.86.0, 7.85.0, 7.84.0, 7.83.1, 7.83.0, 7.82.0, 7.81.0, 7.80.0, 7.79.1, 7.78.0, 7.78.0, 7.77.0, 7.76.1, 7.76.0, 7.75.0, 7.74.0, 7.73.0, 7.72.1, 7.71.1, 7.71.0, 7.70.0, 7.69.1, 7.69.0, 7.68.0, 7.67.0, 7.66.0, 7.65.3, 7.65.2, 7.65.1, 7.65.0, 7.64.1, 7.64.0, 7.63.0, 7.62.0, 7.61.1, 7.61.0, 7.59.0, 7.58.0, 7.57.0, 7.56.1, 7.56.0, 7.55.1, 7.55.0, 7.54.1, 7.54.0, 7.53.1, 7.53.0, 7.52.1, 7.52.0, 7.51.0, 7.50.3, 7.50.2, 7.50.1, 7.50.0, 7.49.1, 7.49.0, 7.48.0, 7.47.1, 7.47.0, 7.46.0, 7.45.0, 7.44.0, 7.43.0, 7.42.1, 7.41.0, 7.40.0, 7.39.0, 7.38.0, 7.37.1, 7.37.0, 7.36.0, 7.35.0, 7.34.0, 7.33.0, 7.32.0, 7.31.0, 7.30.0, 7.29.0, 7.28.1, 7.28.0, 7.27.0, 7.26.0, 7.25.0, 7.24.0, 7.23.1, 7.23.0, 7.22.0, 7.21.1, 7.21.0, 7.20.1, 7.20.0, 7.19.7, 7.19.6, 7.19.5, 7.19.4, 7.19.3, 7.19.2, 7.19.1, 7.18.1, 7.18.0, 7.17.1, 7.17.0, 7.16.4, 7.16.3, 7.16.2, 7.16.1, 7.16.0, 7.15.5, 7.15.4, 7.15.3, 7.15.2, 7.15.1, 7.15.0, 7.14.1, 7.14.0, 7.13.2, 7.13.1, 7.13.0, 7.12.3, 7.12.2, 7.12.1, 7.12.0 Remediation Fixed Version: - SEMVER: 8.20.0 - GIT: 1c1cf59aca8f504c45784c5f6cd7c894507 Contributors Discoverer: Muhammad Arga Reksapati Fix Developer: Daniel Stenberg Details Details: Successfully using libcurl to do a transfer over a specific HTTP proxy1/proxy1) with Digest authentication and then changing the proxy host to the second one (proxy2) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the header field meant for proxy1, to proxy2.

Goal Reached Thanks to every supporter — we hit 100%!

curl: Digest Auth Bypass via Proxy Capture-Replay (CVE-2026-7168) Advisory