libcurl Authentication Bypass via Connection Reuse (CVE-2026-5545)

Vulnerability Overview Vulnerability ID: CVE-2026-5545 Description: Authentication Bypass by Primary Weakness Severity: Medium Published: 2026-04-29T07:48:41.902Z Last Impact Time: 2026-04-29T08:00:00.002Z Details: libcurl might reuse the wrong connection in certain situations when asked to reuse an authenticated HTTP(S) request after Negotiate authentication, when using the same host. libcurl has a connection pool feature to allow subsequent requests to reuse existing connections to avoid re-negotiation. However, some criteria must be met to reuse a connection. Due to a logic error in the code, a request made by an application, which was used by another application with different credentials to the same server, and the server was not authenticated with different credentials. The first request used Negotiate for the server (using user/password), then it performed another operation to ask the same server for any authentication method, but for user2:password2 (while the previous connection was still active) - the second request was confused and reused the same connection, sending a new request that mixed/confused the credentials of user1 and user2. It would actually authenticate using user1's credentials. Impact Scope Package: curl Impact: Both Affected Versions: - 8.19.0, 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0, 8.7.1, 8.7.0, 8.6.0, 8.5.0, 8.4.0, 8.3.1, 8.3.0, 8.2.1, 8.2.0, 8.1.2, 8.1.1, 8.1.0, 8.0.1, 8.0.0, 7.88.1, 7.88.0, 7.87.0, 7.86.0, 7.85.0, 7.84.1, 7.83.1, 7.83.0, 7.82.1, 7.82.0, 7.81.0, 7.80.0, 7.79.1, 7.79.0, 7.78.0, 7.77.0, 7.76.1, 7.76.0, 7.75.0, 7.74.0, 7.73.0, 7.72.0, 7.71.1, 7.71.0, 7.70.1, 7.69.1, 7.69.0, 7.68.0, 7.67.0, 7.66.0, 7.65.3, 7.65.2, 7.65.1, 7.65.0, 7.64.1, 7.64.0, 7.63.0, 7.62.0, 7.61.1, 7.61.0, 7.60.0, 7.59.0, 7.58.0, 7.57.0, 7.56.1, 7.56.0, 7.55.1, 7.55.0, 7.54.0, 7.53.1, 7.53.0, 7.52.1, 7.52.0, 7.51.0, 7.50.3, 7.50.2, 7.50.1, 7.50.0, 7.49.1, 7.49.0, 7.48.0, 7.47.1, 7.47.0, 7.46.9, 7.45.0, 7.44.0, 7.43.0, 7.42.1, 7.41.0, 7.40.0, 7.39.0, 7.38.0, 7.37.1, 7.37.0, 7.36.0, 7.35.0, 7.34.0, 7.33.0, 7.32.0, 7.31.0, 7.30.0, 7.29.0, 7.28.1, 7.28.0, 7.27.0, 7.26.0, 7.25.0, 7.24.0, 7.23.1, 7.23.0, 7.22.0, 7.21.7, 7.21.6, 7.21.5, 7.21.4, 7.21.3, 7.21.2, 7.21.1, 7.20.1, 7.20.0, 7.19.7, 7.19.6, 7.19.4, 7.19.3, 7.19.2, 7.19.1, 7.19.0, 7.18.2, 7.18.1, 7.18.0, 7.17.1, 7.17.0, 7.16.4, 7.16.3, 7.16.2, 7.16.1, 7.16.0, 7.15.5, 7.15.4, 7.15.3, 7.15.2, 7.15.1, 7.15.0, 7.14.0, 7.14.0, 7.13.2, 7.13.1, 7.13.0, 7.12.3, 7.12.2, 7.12.1, 7.12.0, 7.11.2, 7.11.1, 7.11.0, 7.10.5, 7.10.7, 7.10.6 Remediation Fixed Versions: - 7.10.6 - 7.10.7 - 7.11.0 - 7.11.1 - 7.11.2 - 7.12.0 - 7.12.1 - 7.12.2 - 7.12.3 - 7.13.0 - 7.13.1 - 7.13.2 - 7.14.0 - 7.15.0 - 7.15.1 - 7.15.2 - 7.15.3 - 7.15.4 - 7.15.5 - 7.16.0 - 7.16.1 - 7.16.2 - 7.16.3 - 7.16.4 - 7.17.0 - 7.17.1 - 7.18.0 - 7.18.1 - 7.18.2 - 7.19.0 - 7.19.1 - 7.19.2 - 7.19.3 - 7.19.4 - 7.19.6 - 7.19.7 - 7.20.0 - 7.20.1 - 7.21.1 - 7.21.2 - 7.21.3 - 7.21.4 - 7.21.5 - 7.21.6 - 7.21.7 - 7.22.0 - 7.23.0 - 7.23.1 - 7.24.0 - 7.25.0 - 7.26.0 - 7.27.0 - 7.28.0 - 7.28.1 - 7.29.0 - 7.30.0 - 7.31.0 - 7.32.0 - 7.33.0 - 7.34.0 - 7.35.0 - 7.36.0 - 7.37.0 - 7.37.1 - 7.38.0 - 7.39.0 - 7.40.0 - 7.41.0 - 7.42.1 - 7.43.0 - 7.44.0 - 7.45.0 - 7.46.9 - 7.47.0 - 7.47.1 - 7.48.0 - 7.49.0 - 7.49.1 - 7.50.0 - 7.50.1 - 7.50.2 - 7.50.3 - 7.51.0 - 7.52.0 - 7.52.1 - 7.53.0 - 7.53.1 - 7.54.0 - 7.55.0 - 7.55.1 - 7.56.0 - 7.56.1 - 7.57.0 - 7.58.0 - 7.59.0 - 7.60.0 - 7.61.0 - 7.61.1 - 7.62.0 - 7.63.0 - 7.64.0 - 7.64.1 - 7.65.0 - 7.65.1 - 7.65.2 - 7.65.3 - 7.66.0 - 7.67.0 - 7.68.0 - 7.69.0 - 7.69.1 - 7.70.1 - 7.71.0 - 7.71.1 - 7.72.0 - 7.73.0 - 7.74.0 - 7.75.0 - 7.76.0 - 7.76.1 - 7.77.0 - 7.78.0 - 7.79.0 - 7.79.1 - 7.80.0 - 7.81.0 - 7.82.0 - 7.82.1 - 7.83.0 - 7.83.1 - 7.84.0 - 7.84.1 - 7.85.0 - 7.86.0 - 7.87.0 - 7.88.0 - 7.88.1 - 8.0.0 - 8.0.1 - 8.1.0 - 8.1.1 - 8.1.2 - 8.2.0 - 8.2.1 - 8.3.0 - 8.3.1 - 8.4.0 - 8.5.0 - 8.6.0 - 8.7.0 - 8.7.1 - 8.8.0 - 8.9.0 - 8.9.1 - 8.10.0 - 8.10.1 - 8.11.0 - 8.11.1 - 8.12.0 - 8.12.1 - 8.13.0 - 8.14.0 - 8.14.1 - 8.15.0 - 8.16.0 - 8.17.0 - 8.18.0 - 8.19.0 References Documentation: https://curl.se/docs/CVE-2026-5545.html GitHub: https://github.com/curl/curl.git HackerOne: https://hackerone.com/reports/5642555 Contributors Discoverer: Quoc Tran, Ngoc Hieu Fixer: Stefan Eissing

Goal Reached Thanks to every supporter — we hit 100%!

libcurl Authentication Bypass via Connection Reuse (CVE-2026-5545)