Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Unrated

libcurl cross-origin Digest auth state leak

IdentifiersCVE-2026-11856CWE-294

CVE-2026-11856 is a medium-severity vulnerability in libcurl’s HTTP Digest authentication handling. When an application successfully performs a transfer to one HTTP origin using Digest authentication and then reuses the same libcurl easy handle for a subsequent transfer to a different origin, libcurl can incorrectly carry forward and send the Authorization header state intended for the first origin to the second origin. The flaw affects libcurl versions 7.10.6 through 8.20.0 inclusive and does not affect the curl command-line tool. The issue is classified as CWE-294 because the leaked Digest authentication state can be captured by the second host and replayed against the original host for a narrowly scoped request.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A malicious second origin can receive Digest Authorization material intended for the first origin and use it to impersonate the client to the original host for one specific request and exact path represented by the leaked authenticated state. The vulnerability does not disclose the user’s underlying credentials directly, and the leaked header does not reveal the identity of the original host, but it can still enable a limited authentication bypass via capture-replay against the first host.

Mitigation

If you can’t patch tonight, do this now.

Avoid reusing the same libcurl handle when changing HTTP origins, especially after a Digest-authenticated transfer. Use separate handles per origin or fully reset authentication-related state before initiating a transfer to a different host. Prioritize this mitigation in applications that embed libcurl and perform multi-origin requests with Digest authentication.

Remediation

Patch, then assume compromise.

Upgrade curl/libcurl to version 8.21.0 or later, where the issue is fixed. If upgrading is not immediately possible, apply the upstream patch associated with the fix and rebuild affected software that embeds libcurl. The advisory indicates the issue was fixed in curl 8.21.0.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cyber security newsNews
Jun 25, 2026
25-Year-Old Vulnerability in curl Used by 30 Billion Devices Finally Patched

A curl/libcurl vulnerability involving leakage of Digest authentication state across origins.

Read more
daniel haxx seNews
Jun 24, 2026
curl 8.21.0 | daniel.haxx.se

A medium-severity curl/libcurl vulnerability that can leak Digest authentication state across origins.

Read more
curlNews
Jun 24, 2026
curl - cross-origin Digest auth state leak - CVE-2026-11856

A medium-severity libcurl vulnerability where reusing the same handle across different HTTP origins after Digest authentication can leak the Authorization header state to a different host, enabling replay-style impersonation for a specific request path.

Read more
curlNews
Jun 24, 2026
curl: [SECURITY ADVISORIES] for curl 8.21.0

A curl vulnerability involving Digest authentication state leakage across origins.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-11856
NVD
nvd.nist.gov/vuln/detail/CVE-2026-11856
MITRE CWE · CWE-294
cwe.mitre.org