libcurl Password Leak via HTTP Redirect (CVE-2026-6429) Advisory

CVE-2026-6429 Vulnerability Summary Vulnerability Overview Vulnerability Name: CVE-2026-6429 Vulnerability Description: When required to authenticate using a file and follow HTTP redirects, libcurl may leak the password used for the first host to the host it is redirected to. Severity: Medium Publication Date: 2026-04-29T07:48:41.002Z Last Affected Version: 8.19.0 Affected Scope Affected Software: curl Affected Versions: - 8.19.0 - 8.18.0 - 8.17.0 - 8.16.0 - 8.15.0 - 8.14.1 - 8.14.0 - 8.13.0 - 8.12.1 - 8.12.0 - 8.11.1 - 8.11.0 - 8.10.1 - 8.10.0 - 8.9.1 - 8.9.0 - 8.8.0 - 8.7.1 - 8.7.0 - 8.6.0 - 8.5.0 - 8.4.0 - 8.3.0 - 8.2.1 - 8.2.0 - 8.1.2 - 8.1.1 - 8.1.0 - 8.0.1 - 7.88.0 - 7.88.1 - 7.88.0 - 7.87.0 - 7.86.0 - 7.85.0 - 7.84.0 - 7.83.1 - 7.83.0 - 7.82.0 - 7.81.0 - 7.80.0 - 7.79.1 - 7.78.0 - 7.77.0 - 7.76.1 - 7.76.0 - 7.75.0 - 7.74.0 - 7.73.0 - 7.72.0 - 7.71.1 - 7.71.0 - 7.70.0 - 7.69.1 - 7.69.0 - 7.68.0 - 7.67.0 - 7.66.0 - 7.65.3 - 7.65.2 - 7.65.1 - 7.65.0 - 7.64.1 - 7.64.0 - 7.63.0 - 7.62.0 - 7.61.1 - 7.61.0 - 7.61.0 - 7.60.0 - 7.59.0 - 7.58.0 - 7.57.0 - 7.56.1 - 7.56.0 - 7.55.1 - 7.55.0 - 7.54.1 - 7.54.0 - 7.53.1 - 7.53.0 - 7.52.1 - 7.52.0 - 7.51.0 - 7.50.3 - 7.50.2 - 7.50.1 - 7.50.0 - 7.49.1 - 7.49.0 - 7.48.0 - 7.47.1 - 7.47.0 - 7.46.0 - 7.45.0 - 7.44.0 - 7.43.0 - 7.42.1 - 7.42.0 - 7.41.0 - 7.40.0 - 7.39.0 - 7.38.0 - 7.37.1 - 7.37.0 - 7.36.0 - 7.35.0 - 7.34.0 - 7.33.0 - 7.32.0 - 7.31.0 - 7.30.0 - 7.29.0 - 7.28.1 - 7.28.0 - 7.27.0 - 7.26.0 - 7.25.0 - 7.24.0 - 7.23.1 - 7.23.0 - 7.22.0 - 7.21.7 - 7.21.6 - 7.21.5 - 7.21.4 - 7.21.3 - 7.21.2 - 7.21.1 - 7.21.0 - 7.20.1 - 7.19.7 - 7.19.6 - 7.19.5 - 7.19.4 - 7.19.3 - 7.19.2 - 7.19.1 - 7.19.0 - 7.18.2 - 7.18.1 - 7.18.0 - 7.17.1 - 7.17.0 - 7.16.4 - 7.16.3 - 7.16.2 - 7.16.1 - 7.16.0 - 7.15.5 - 7.15.4 - 7.15.0 - 7.14.1 - 7.14.0 Remediation Fixed Version: 8.26.0 Fix Repository: https://github.com/curl/curl.git Fix Commit: 8b024b788b0d558b2f5fc6966e4d77399ec36e

Goal Reached Thanks to every supporter — we hit 100%!

libcurl Password Leak via HTTP Redirect (CVE-2026-6429) Advisory