When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Curl
  • Libcurl
Haxx
  • Curl

Configuration 1 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

No data.

References
Link Providers
https://curl.se/docs/CVE-2026-6429.html cve-icon cve-icon cve-icon
https://curl.se/docs/CVE-2026-6429.json cve-icon cve-icon
https://hackerone.com/reports/3677759 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-6429 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-6429 cve-icon
History

Thu, 14 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Haxx
Haxx curl
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Vendors & Products Haxx
Haxx curl

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 13 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. When configured to use a .netrc file for credentials and follow HTTP redirects, libcurl can inadvertently send the password from the initial connection to the redirected host. This sensitive information disclosure occurs when both the original and redirect URLs use clear text HTTP, are performed over the same HTTP proxy, and the same connection is reused. This vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), could allow an attacker to obtain user credentials. When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
Title curl: libcurl: Credential leak via reused proxy connection during HTTP redirects netrc credential leak with reused proxy connection
References

Fri, 01 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl libcurl
Vendors & Products Curl
Curl libcurl

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. When configured to use a .netrc file for credentials and follow HTTP redirects, libcurl can inadvertently send the password from the initial connection to the redirected host. This sensitive information disclosure occurs when both the original and redirect URLs use clear text HTTP, are performed over the same HTTP proxy, and the same connection is reused. This vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), could allow an attacker to obtain user credentials.
Title curl: libcurl: Credential leak via reused proxy connection during HTTP redirects
Weaknesses CWE-201
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

threat_severity

Moderate
cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published: 2026-05-13T08:28:36.166Z

Updated: 2026-05-13T14:03:55.343Z

Reserved: 2026-04-16T14:48:02.991Z

Link: CVE-2026-6429

cve-icon Vulnrichment

Updated: 2026-05-13T14:03:47.972Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T13:01:56.930

Modified: 2026-05-14T14:18:02.240

Link: CVE-2026-6429

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-29T00:00:00Z

Links: CVE-2026-6429 - Bugzilla