curl CVE-2026-4873 TLS Connection Pool Reuse Vulnerability Advisory

Vulnerability Overview Vulnerability ID: CVE-2026-4873 Description: A vulnerability exists where connections requiring TLS incorrectly reuse existing unencrypted connections from the same connection pool. If the initial transmission occurs in plaintext (e.g., via IMAP, SMTP, or POP3), subsequent requests to the same host will bypass the TLS requirement and transmit data directly. Severity: Low Last Affected Version: < 8.19.0 Scope of Impact Affected Versions: - All versions prior to 8.19.0 - Specifically including: 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1, 8.11.0, 8.10.1, 8.10.0, 8.9.1, 8.9.0, 8.8.0, 8.7.1, 8.7.0, 8.6.0, 8.5.0, 8.4.0, 8.3.0, 8.2.1, 8.2.0, 8.1.2, 8.1.1, 8.1.0, 8.0.1, 8.0.0, 7.88.1, 7.87.0, 7.86.0, 7.85.0, 7.84.0, 7.83.1, 7.83.0, 7.82.0, 7.81.0, 7.80.0, 7.79.1, 7.79.0, 7.78.0, 7.77.0, 7.76.1, 7.76.0, 7.75.0, 7.74.0, 7.73.0, 7.72.0, 7.71.1, 7.71.0, 7.70.1, 7.69.1, 7.69.0, 7.68.0, 7.67.0, 7.66.0, 7.65.3, 7.63.1, 7.62.0, 7.61.0, 7.65.0, 7.64.1, 7.64.0, 7.63.0, 7.62.0, 7.61.1, 7.61.0, 7.60.0, 7.59.0, 7.58.0, 7.57.0, 7.56.1, 7.56.0, 7.55.1, 7.55.0, 7.54.1, 7.54.0, 7.53.1, 7.53.0, 7.52.1, 7.52.0, 7.51.0, 7.50.3, 7.50.1, 7.50.0, 7.50.0, 7.49.1, 7.49.0, 7.48.0, 7.47.1, 7.47.0, 7.46.0, 7.45.0, 7.44.0, 7.43.0, 7.42.1, 7.42.0, 7.41.0, 7.40.0, 7.39.0, 7.38.0, 7.37.1, 7.37.0, 7.36.0, 7.35.0, 7.34.0, 7.33.0, 7.32.0, 7.31.0, 7.30.0, 7.29.1, 7.29.0, 7.28.1, 7.27.0, 7.26.0, 7.25.0, 7.24.0, 7.23.1, 7.23.0, 7.22.0, 7.21.7, 7.21.6, 7.21.5, 7.21.4, 7.21.3, 7.21.2, 7.21.1, 7.21.0, 7.20.1, 7.20.0 Remediation Fixed Version: 8.20.0 Git Fix Commit: 507e7be33b0a76fc597b75ff7cb7a66d76865

Goal Reached Thanks to every supporter — we hit 100%!

curl CVE-2026-4873 TLS Connection Pool Reuse Vulnerability Advisory