CVE Catalog

CVE-2026-9547

Unknown
Published: Translated: NVD NIST

Summary

A vulnerability in libcurl causes applications using SCP or SFTP transfers with the CURLOPT_SSH_KEYFUNCTION callback to silently accept untrusted servers. When a server presents a host key type that does not match the recorded key in the known_hosts file, the callback mechanism fails to enforce rejection, allowing the connection to succeed without warning.

Risk Assessment

The risk involves a potential man-in-the-middle attack, where an attacker can impersonate a trusted server and intercept or modify transmitted data without the user or application being aware.

Recommendation

It is recommended to immediately update libcurl to a patched version. Until updated, avoid using the CURLOPT_SSH_KEYFUNCTION callback in SCP/SFTP transfers or manually verify host key consistency.

Original NVD description (English source)

When a libcurl-based application performs transfers via `SCP://` or `SFTP://` and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS