CVE Catalog

CVE-2026-11856

Unknown
Published: Translated: NVD NIST

Summary

A vulnerability in libcurl causes the Authorization header intended for the original host to be incorrectly forwarded to a different host when reusing a handle for HTTP transfers with Digest authentication. This occurs after a successful transfer to hostA with Digest authentication and then changing the target to hostB.

Risk Assessment

The organization risks leaking authentication credentials to an unauthorized server, potentially leading to unauthorized access or man-in-the-middle attacks.

Recommendation

Immediately update libcurl to a patched version and review application code that reuses curl handles with Digest authentication.

Original NVD description (English source)

Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS