6.5 CVE-2026-3784

Enriched by CISA Patch Exploit
 

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
https://nvd.nist.gov/vuln/detail/CVE-2026-3784

Categories

CWE-305 : Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. The provided password is only compared against the first character of the real password. The password is not properly checked, which allows remote attackers to bypass access controls by sending a 1-byte password that matches the first character of the real password. Chain: Forum software does not properly initialize an array, which inadvertently sets the password to a single character, allowing remote attackers to easily guess the password and gain administrative privileges.

References

2499f714-1537-4658-8207-48ae4bb9eae9 Patch Exploit

https://curl.se/docs/CVE-2026-3784.html
Patch Vendor Advisory
https://curl.se/docs/CVE-2026-3784.json
Vendor Advisory
https://hackerone.com/reports/3584903
Exploit Issue Tracking Third Party Advisory

af854a3a-2127-422b-91ae-364da2661108 Patch Exploit


 

AFFECTED (from MITRE)

Vendor Product Versions
curl curl
  • 8.18.0 ≤ 8.18.0 [affected]
  • 8.17.0 ≤ 8.17.0 [affected]
  • 8.16.0 ≤ 8.16.0 [affected]
  • 8.15.0 ≤ 8.15.0 [affected]
  • 8.14.1 ≤ 8.14.1 [affected]
  • 8.14.0 ≤ 8.14.0 [affected]
  • 8.13.0 ≤ 8.13.0 [affected]
  • 8.12.1 ≤ 8.12.1 [affected]
  • 8.12.0 ≤ 8.12.0 [affected]
  • 8.11.1 ≤ 8.11.1 [affected]
  • 8.11.0 ≤ 8.11.0 [affected]
  • 8.10.1 ≤ 8.10.1 [affected]
  • 8.10.0 ≤ 8.10.0 [affected]
  • 8.9.1 ≤ 8.9.1 [affected]
  • 8.9.0 ≤ 8.9.0 [affected]
  • 8.8.0 ≤ 8.8.0 [affected]
  • 8.7.1 ≤ 8.7.1 [affected]
  • 8.7.0 ≤ 8.7.0 [affected]
  • 8.6.0 ≤ 8.6.0 [affected]
  • 8.5.0 ≤ 8.5.0 [affected]
  • 8.4.0 ≤ 8.4.0 [affected]
  • 8.3.0 ≤ 8.3.0 [affected]
  • 8.2.1 ≤ 8.2.1 [affected]
  • 8.2.0 ≤ 8.2.0 [affected]
  • 8.1.2 ≤ 8.1.2 [affected]
  • 8.1.1 ≤ 8.1.1 [affected]
  • 8.1.0 ≤ 8.1.0 [affected]
  • 8.0.1 ≤ 8.0.1 [affected]
  • 8.0.0 ≤ 8.0.0 [affected]
  • 7.88.1 ≤ 7.88.1 [affected]
  • 7.88.0 ≤ 7.88.0 [affected]
  • 7.87.0 ≤ 7.87.0 [affected]
  • 7.86.0 ≤ 7.86.0 [affected]
  • 7.85.0 ≤ 7.85.0 [affected]
  • 7.84.0 ≤ 7.84.0 [affected]
  • 7.83.1 ≤ 7.83.1 [affected]
  • 7.83.0 ≤ 7.83.0 [affected]
  • 7.82.0 ≤ 7.82.0 [affected]
  • 7.81.0 ≤ 7.81.0 [affected]
  • 7.80.0 ≤ 7.80.0 [affected]
  • 7.79.1 ≤ 7.79.1 [affected]
  • 7.79.0 ≤ 7.79.0 [affected]
  • 7.78.0 ≤ 7.78.0 [affected]
  • 7.77.0 ≤ 7.77.0 [affected]
  • 7.76.1 ≤ 7.76.1 [affected]
  • 7.76.0 ≤ 7.76.0 [affected]
  • 7.75.0 ≤ 7.75.0 [affected]
  • 7.74.0 ≤ 7.74.0 [affected]
  • 7.73.0 ≤ 7.73.0 [affected]
  • 7.72.0 ≤ 7.72.0 [affected]
  • 7.71.1 ≤ 7.71.1 [affected]
  • 7.71.0 ≤ 7.71.0 [affected]
  • 7.70.0 ≤ 7.70.0 [affected]
  • 7.69.1 ≤ 7.69.1 [affected]
  • 7.69.0 ≤ 7.69.0 [affected]
  • 7.68.0 ≤ 7.68.0 [affected]
  • 7.67.0 ≤ 7.67.0 [affected]
  • 7.66.0 ≤ 7.66.0 [affected]
  • 7.65.3 ≤ 7.65.3 [affected]
  • 7.65.2 ≤ 7.65.2 [affected]
  • 7.65.1 ≤ 7.65.1 [affected]
  • 7.65.0 ≤ 7.65.0 [affected]
  • 7.64.1 ≤ 7.64.1 [affected]
  • 7.64.0 ≤ 7.64.0 [affected]
  • 7.63.0 ≤ 7.63.0 [affected]
  • 7.62.0 ≤ 7.62.0 [affected]
  • 7.61.1 ≤ 7.61.1 [affected]
  • 7.61.0 ≤ 7.61.0 [affected]
  • 7.60.0 ≤ 7.60.0 [affected]
  • 7.59.0 ≤ 7.59.0 [affected]
  • 7.58.0 ≤ 7.58.0 [affected]
  • 7.57.0 ≤ 7.57.0 [affected]
  • 7.56.1 ≤ 7.56.1 [affected]
  • 7.56.0 ≤ 7.56.0 [affected]
  • 7.55.1 ≤ 7.55.1 [affected]
  • 7.55.0 ≤ 7.55.0 [affected]
  • 7.54.1 ≤ 7.54.1 [affected]
  • 7.54.0 ≤ 7.54.0 [affected]
  • 7.53.1 ≤ 7.53.1 [affected]
  • 7.53.0 ≤ 7.53.0 [affected]
  • 7.52.1 ≤ 7.52.1 [affected]
  • 7.52.0 ≤ 7.52.0 [affected]
  • 7.51.0 ≤ 7.51.0 [affected]
  • 7.50.3 ≤ 7.50.3 [affected]
  • 7.50.2 ≤ 7.50.2 [affected]
  • 7.50.1 ≤ 7.50.1 [affected]
  • 7.50.0 ≤ 7.50.0 [affected]
  • 7.49.1 ≤ 7.49.1 [affected]
  • 7.49.0 ≤ 7.49.0 [affected]
  • 7.48.0 ≤ 7.48.0 [affected]
  • 7.47.1 ≤ 7.47.1 [affected]
  • 7.47.0 ≤ 7.47.0 [affected]
  • 7.46.0 ≤ 7.46.0 [affected]
  • 7.45.0 ≤ 7.45.0 [affected]
  • 7.44.0 ≤ 7.44.0 [affected]
  • 7.43.0 ≤ 7.43.0 [affected]
  • 7.42.1 ≤ 7.42.1 [affected]
  • 7.42.0 ≤ 7.42.0 [affected]
  • 7.41.0 ≤ 7.41.0 [affected]
  • 7.40.0 ≤ 7.40.0 [affected]
  • 7.39.0 ≤ 7.39.0 [affected]
  • 7.38.0 ≤ 7.38.0 [affected]
  • 7.37.1 ≤ 7.37.1 [affected]
  • 7.37.0 ≤ 7.37.0 [affected]
  • 7.36.0 ≤ 7.36.0 [affected]
  • 7.35.0 ≤ 7.35.0 [affected]
  • 7.34.0 ≤ 7.34.0 [affected]
  • 7.33.0 ≤ 7.33.0 [affected]
  • 7.32.0 ≤ 7.32.0 [affected]
  • 7.31.0 ≤ 7.31.0 [affected]
  • 7.30.0 ≤ 7.30.0 [affected]
  • 7.29.0 ≤ 7.29.0 [affected]
  • 7.28.1 ≤ 7.28.1 [affected]
  • 7.28.0 ≤ 7.28.0 [affected]
  • 7.27.0 ≤ 7.27.0 [affected]
  • 7.26.0 ≤ 7.26.0 [affected]
  • 7.25.0 ≤ 7.25.0 [affected]
  • 7.24.0 ≤ 7.24.0 [affected]
  • 7.23.1 ≤ 7.23.1 [affected]
  • 7.23.0 ≤ 7.23.0 [affected]
  • 7.22.0 ≤ 7.22.0 [affected]
  • 7.21.7 ≤ 7.21.7 [affected]
  • 7.21.6 ≤ 7.21.6 [affected]
  • 7.21.5 ≤ 7.21.5 [affected]
  • 7.21.4 ≤ 7.21.4 [affected]
  • 7.21.3 ≤ 7.21.3 [affected]
  • 7.21.2 ≤ 7.21.2 [affected]
  • 7.21.1 ≤ 7.21.1 [affected]
  • 7.21.0 ≤ 7.21.0 [affected]
  • 7.20.1 ≤ 7.20.1 [affected]
  • 7.20.0 ≤ 7.20.0 [affected]
  • 7.19.7 ≤ 7.19.7 [affected]
  • 7.19.6 ≤ 7.19.6 [affected]
  • 7.19.5 ≤ 7.19.5 [affected]
  • 7.19.4 ≤ 7.19.4 [affected]
  • 7.19.3 ≤ 7.19.3 [affected]
  • 7.19.2 ≤ 7.19.2 [affected]
  • 7.19.1 ≤ 7.19.1 [affected]
  • 7.19.0 ≤ 7.19.0 [affected]
  • 7.18.2 ≤ 7.18.2 [affected]
  • 7.18.1 ≤ 7.18.1 [affected]
  • 7.18.0 ≤ 7.18.0 [affected]
  • 7.17.1 ≤ 7.17.1 [affected]
  • 7.17.0 ≤ 7.17.0 [affected]
  • 7.16.4 ≤ 7.16.4 [affected]
  • 7.16.3 ≤ 7.16.3 [affected]
  • 7.16.2 ≤ 7.16.2 [affected]
  • 7.16.1 ≤ 7.16.1 [affected]
  • 7.16.0 ≤ 7.16.0 [affected]
  • 7.15.5 ≤ 7.15.5 [affected]
  • 7.15.4 ≤ 7.15.4 [affected]
  • 7.15.3 ≤ 7.15.3 [affected]
  • 7.15.2 ≤ 7.15.2 [affected]
  • 7.15.1 ≤ 7.15.1 [affected]
  • 7.15.0 ≤ 7.15.0 [affected]
  • 7.14.1 ≤ 7.14.1 [affected]
  • 7.14.0 ≤ 7.14.0 [affected]
  • 7.13.2 ≤ 7.13.2 [affected]
  • 7.13.1 ≤ 7.13.1 [affected]
  • 7.13.0 ≤ 7.13.0 [affected]
  • 7.12.3 ≤ 7.12.3 [affected]
  • 7.12.2 ≤ 7.12.2 [affected]
  • 7.12.1 ≤ 7.12.1 [affected]
  • 7.12.0 ≤ 7.12.0 [affected]
  • 7.11.2 ≤ 7.11.2 [affected]
  • 7.11.1 ≤ 7.11.1 [affected]
  • 7.11.0 ≤ 7.11.0 [affected]
  • 7.10.8 ≤ 7.10.8 [affected]
  • 7.10.7 ≤ 7.10.7 [affected]
  • 7.10.6 ≤ 7.10.6 [affected]
  • 7.10.5 ≤ 7.10.5 [affected]
  • 7.10.4 ≤ 7.10.4 [affected]
  • 7.10.3 ≤ 7.10.3 [affected]
  • 7.10.2 ≤ 7.10.2 [affected]
  • 7.10.1 ≤ 7.10.1 [affected]
  • 7.10 ≤ 7.10 [affected]
  • 7.9.8 ≤ 7.9.8 [affected]
  • 7.9.7 ≤ 7.9.7 [affected]
  • 7.9.6 ≤ 7.9.6 [affected]
  • 7.9.5 ≤ 7.9.5 [affected]
  • 7.9.4 ≤ 7.9.4 [affected]
  • 7.9.3 ≤ 7.9.3 [affected]
  • 7.9.2 ≤ 7.9.2 [affected]
  • 7.9.1 ≤ 7.9.1 [affected]
  • 7.9 ≤ 7.9 [affected]
  • 7.8.1 ≤ 7.8.1 [affected]
  • 7.8 ≤ 7.8 [affected]
  • 7.7.3 ≤ 7.7.3 [affected]
  • 7.7.2 ≤ 7.7.2 [affected]
  • 7.7.1 ≤ 7.7.1 [affected]
  • 7.7 ≤ 7.7 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe start end
Configuration 1
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* >= 7.7 < 8.18.0

REMEDIATION

Patch

Url
https://curl.se/docs/CVE-2026-3784.html

EXPLOITS

Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://hackerone.com/reports/3584903

CAPEC

Common Attack Pattern Enumerations and Classifications

id description severity
No entry