CVE-2026-8926
UnknownSummary
A vulnerability in curl causes it to incorrectly use the password of another user from the .netrc file when a URL with a username (without password) is provided, potentially leading to credential confusion.
Risk Assessment
The organization may face unauthorized access to resources if curl uses wrong credentials, potentially leading to data breaches or privilege escalation.
Recommendation
Immediately update curl to a patched version addressing CVE-2026-8926, and temporarily avoid using .netrc files with URLs containing a username without a password.
Original NVD description (English source)
When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://[email protected]/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.

