CVE-2026-6253
Last modified
CVE-2026-6253 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. EPSS estimates a 0.64% chance of exploitation in the next 30 days.
Description
curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Haxx | Curl | >= 7.14.1, < 8.20.0 |
References
- https://curl.se/docs/CVE-2026-6253.htmlPatch, Vendor Advisory
- https://curl.se/docs/CVE-2026-6253.jsonVendor Advisory
- https://hackerone.com/reports/3669637Exploit, Issue Tracking, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2026/04/29/11Mailing List, Patch, Third Party Advisory
- https://hackerone.com/reports/3669637Exploit, Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-6253?
How severe is CVE-2026-6253?
How do I fix CVE-2026-6253?
Are you affected by CVE-2026-6253?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST