Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
Unrated

SSH improper host validation in libcurl libssh backend

IdentifiersCVE-2026-9547CWE-297

CVE-2026-9547 is an improper SSH host validation flaw in libcurl affecting SCP:// and SFTP:// transfers when libcurl is built with the libssh backend and the application uses the CURLOPT_SSH_KEYFUNCTION host-key callback. In affected versions, if an SSH server presents a host key type that does not match the specific key type already recorded for that host in known_hosts, libcurl can incorrectly accept the server instead of rejecting the mismatch. This results from the callback path failing to properly enforce host key type restrictions during host verification. The issue affects curl/libcurl versions 7.69.0 through 8.20.0, was introduced by commit 507cf6a13db0375eadd, and was fixed by commit 0b8dbbc63c98777e4584cb9 in 8.21.0. The curl command-line tool is not affected, and builds using libssh2 instead of libssh are not affected.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause a libcurl-based application to silently trust an untrusted SSH server during SCP or SFTP connections. The primary security consequence is a man-in-the-middle condition in which host authenticity checks are bypassed for a mismatched server key type, undermining SSH trust-on-first-use/known_hosts protections and potentially exposing transferred data or credentials to interception or manipulation.

Mitigation

If you can’t patch tonight, do this now.

As an alternative mitigation, build libcurl with the libssh2 backend instead of libssh, since the issue is reported as not affecting libssh2 builds. Where feasible, avoid relying on the vulnerable callback path until patched, and restrict exposure to untrusted SSH endpoints or networks where man-in-the-middle attacks are plausible.

Remediation

Patch, then assume compromise.

Upgrade curl/libcurl to version 8.21.0 or later. If immediate upgrade is not possible, apply the upstream fix associated with commit 0b8dbbc63c98777e4584cb9 and rebuild. Ensure affected applications using SCP:// or SFTP:// with CURLOPT_SSH_KEYFUNCTION are linked against a patched libcurl.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
security affairsNews
Jun 25, 2026
Curl Fixes a 25-Year-Old Bug in Its Largest CVE Release Yet - Security Affairs

An improper host validation vulnerability in curl/libcurl with the libssh backend where SCP/SFTP transfers using a host-key callback could accept a server key type that should have been rejected.

Read more
cyber security newsNews
Jun 25, 2026
25-Year-Old Vulnerability in curl Used by 30 Billion Devices Finally Patched

An improper SSH host validation vulnerability in curl/libcurl where rejected server key types may be accepted via the libssh backend.

Read more
security weekNews
Jun 25, 2026
25-Year-Old Vulnerability Patched in Curl - SecurityWeek

A curl/libcurl vulnerability described as improper host validation.

Read more
daniel haxx seNews
Jun 24, 2026
curl 8.21.0 | daniel.haxx.se

A low-severity curl/libcurl vulnerability involving improper SSH host validation.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-9547
NVD
nvd.nist.gov/vuln/detail/CVE-2026-9547
MITRE CWE · CWE-297
cwe.mitre.org