CVE Catalog

CVE-2026-8926

Unknown
Published: Translated: NVD NIST

Summary

A vulnerability in curl causes it to incorrectly use the password of another user from the .netrc file when a URL with a username (without password) is provided, potentially leading to credential confusion.

Risk Assessment

The organization may face unauthorized access to resources if curl uses wrong credentials, potentially leading to data breaches or privilege escalation.

Recommendation

Immediately update curl to a patched version addressing CVE-2026-8926, and temporarily avoid using .netrc files with URLs containing a username without a password.

Original NVD description (English source)

When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://[email protected]/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS