Fluid Attacks Database

Description

Successfully using libcurl to do a transfer over a specific HTTP proxy (proxyA) with Digest authentication and then changing the proxy host to a second one (proxyB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to proxyB.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	curl	=7.88.1-10 \|\| =7.88.1-10+deb12u1 \|\| =7.88.1-10+deb12u11 \|\| =7.88.1-10+deb12u12 \|\| =7.88.1-10+deb12u13 \|\| =7.88.1-10+deb12u14 \|\| =7.88.1-10+deb12u1~bpo11+1 \|\| =7.88.1-10+deb12u2 \|\| =7.88.1-10+deb12u3 \|\| =7.88.1-10+deb12u3~bpo11+1 \|\| =7.88.1-10+deb12u4 \|\| =7.88.1-10+deb12u5 \|\| =7.88.1-10+deb12u5~bpo11+1 \|\| =7.88.1-10+deb12u6 \|\| =7.88.1-10+deb12u6~bpo11+1 \|\| =7.88.1-10+deb12u7 \|\| =7.88.1-10+deb12u8 \|\| =7.88.1-10+deb12u9 \|\| =7.88.1-11 \|\| =8.0.1-1~exp1 \|\| =8.10.0-1 \|\| =8.10.0-2 \|\| =8.10.1-1 \|\| =8.10.1-1~bpo12+1 \|\| =8.10.1-2 \|\| =8.11.0-1 \|\| =8.11.1-1 \|\| =8.11.1-1~bpo12+1 \|\| =8.12.0+git20250209.89ed161+ds-1 \|\| =8.12.0+git20250209.89ed161+ds-1~bpo12+1 \|\| =8.12.1-1 \|\| =8.12.1-2 \|\| =8.12.1-2~bpo12+1 \|\| =8.12.1-3 \|\| =8.12.1-3~bpo12+1 \|\| =8.13.0-1 \|\| =8.13.0-1+exp1 \|\| =8.13.0-2 \|\| =8.13.0-2+exp1 \|\| =8.13.0-3 \|\| =8.13.0-4 \|\| =8.13.0-4+exp1 \|\| =8.13.0-5 \|\| =8.13.0-5+exp1 \|\| =8.13.0-5~bpo12+1 \|\| =8.13.0~rc-1~exp1 \|\| =8.13.0~rc-1~exp2 \|\| =8.13.0~rc2-1 \|\| =8.13.0~rc2-2 \|\| =8.13.0~rc3-1 \|\| =8.13.0~rc3-1+exp1 \|\| =8.14.0-1 \|\| =8.14.0-1+exp1 \|\| =8.14.0~rc1-1+exp1 \|\| =8.14.0~rc2-1+exp1 \|\| =8.14.0~rc3-1+exp1 \|\| =8.14.1-1 \|\| =8.14.1-1~bpo12+1 \|\| =8.14.1-2 \|\| =8.14.1-2+exp1 \|\| =8.14.1-2~bpo12+1 \|\| =8.15.0-1 \|\| =8.15.0-1~bpo13+1 \|\| =8.15.0-1~exp1 \|\| =8.15.0~rc1-1exp1 \|\| =8.15.0~rc2-1~exp1 \|\| =8.15.0~rc3-1~exp1 \|\| =8.16.0-1 \|\| =8.16.0-1+exp1 \|\| =8.16.0-1~bpo13+1 \|\| =8.16.0-2 \|\| =8.16.0-3 \|\| =8.16.0-4 \|\| =8.16.0-4~bpo13+1 \|\| =8.16.0~rc1-1~exp1 \|\| =8.16.0~rc2-1 \|\| =8.16.0~rc2-2 \|\| =8.16.0~rc3-1 \|\| =8.17.0-1 \|\| =8.17.0-2 \|\| =8.17.0-3 \|\| =8.17.0~rc1-1~exp1 \|\| =8.17.0~rc2-1 \|\| =8.17.0~rc3-1 \|\| =8.18.0-1 \|\| =8.18.0-1~bpo13+1 \|\| =8.18.0-2 \|\| =8.18.0~rc1-1+exp1 \|\| =8.18.0~rc2-1 \|\| =8.18.0~rc3-1 \|\| =8.19.0-1 \|\| =8.19.0-1+exp1 \|\| =8.19.0-1~bpo13+1 \|\| =8.19.0-2 \|\| =8.19.0-3 \|\| =8.19.0-3+exp1 \|\| =8.19.0-3+exp2 \|\| =8.19.0~rc1-1~exp1 \|\| =8.19.0~rc2-1 \|\| =8.19.0~rc2-2 \|\| =8.19.0~rc3-1 \|\| =8.2.1-1 \|\| =8.2.1-2 \|\| =8.2.1-2~bpo12+1 \|\| =8.20.0-1 \|\| =8.20.0-1+exp \|\| =8.20.0-2 \|\| =8.20.0~rc1-1+exp1 \|\| =8.20.0~rc1-1+exp2 \|\| =8.20.0~rc1-1+exp3 \|\| =8.20.0~rc2-1 \|\| =8.20.0~rc2-1+exp1 \|\| =8.20.0~rc3-1 \|\| =8.20.0~rc3-1+exp1 \|\| =8.3.0-1 \|\| =8.3.0-2 \|\| =8.3.0-2~bpo12+1 \|\| =8.3.0-2~exp1 \|\| =8.3.0-3 \|\| =8.4.0-1 \|\| =8.4.0-2 \|\| =8.4.0-2~bpo12+1 \|\| =8.5.0-1 \|\| =8.5.0-1+exp1 \|\| =8.5.0-2 \|\| =8.5.0-2+exp1 \|\| =8.5.0-2~bpo12+1 \|\| =8.6.0-1 \|\| =8.6.0-1.1 \|\| =8.6.0-2 \|\| =8.6.0-3 \|\| =8.6.0-3.1 \|\| =8.6.0-3.1~exp1 \|\| =8.6.0-3.1~exp2 \|\| =8.6.0-3.2 \|\| =8.6.0-4 \|\| =8.7.1-1 \|\| =8.7.1-1+exp1 \|\| =8.7.1-2 \|\| =8.7.1-3 \|\| =8.7.1-4 \|\| =8.7.1-5 \|\| =8.7.1-5+exp1 \|\| =8.7.1-5~bpo12+1 \|\| =8.8.0-1 \|\| =8.8.0-1+exp1 \|\| =8.8.0-1+exp2 \|\| =8.8.0-1~bpo12+1 \|\| =8.8.0-2 \|\| =8.8.0-3 \|\| =8.8.0-4 \|\| =8.9.0-1 \|\| =8.9.0-2 \|\| =8.9.0-3 \|\| =8.9.1-1 \|\| =8.9.1-2 \|\| =8.9.1-2~bpo12+1	-
debian 11	curl	=7.74.0-1.3 \|\| =7.74.0-1.3+deb11u1 \|\| =7.74.0-1.3+deb11u10 \|\| =7.74.0-1.3+deb11u11 \|\| =7.74.0-1.3+deb11u12 \|\| =7.74.0-1.3+deb11u13 \|\| =7.74.0-1.3+deb11u14 \|\| =7.74.0-1.3+deb11u15 \|\| =7.74.0-1.3+deb11u16 \|\| =7.74.0-1.3+deb11u2 \|\| =7.74.0-1.3+deb11u3 \|\| =7.74.0-1.3+deb11u4 \|\| =7.74.0-1.3+deb11u5 \|\| =7.74.0-1.3+deb11u6 \|\| =7.74.0-1.3+deb11u7 \|\| =7.74.0-1.3+deb11u7~bpo11+1 \|\| =7.74.0-1.3+deb11u8 \|\| =7.74.0-1.3+deb11u9 \|\| =7.79.1-1 \|\| =7.79.1-2 \|\| =7.79.1-3~exp1 \|\| =7.79.1-3~exp2 \|\| =7.80.0-1 \|\| =7.80.0-2 \|\| =7.80.0-3 \|\| =7.81.0-1 \|\| =7.81.0-1~bpo11+1 \|\| =7.82.0-1 \|\| =7.82.0-2 \|\| =7.82.0-2~bpo11+1 \|\| =7.83.0-1 \|\| =7.83.1-1 \|\| =7.83.1-2 \|\| =7.84.0-1 \|\| =7.84.0-2 \|\| =7.84.0-2~bpo11+1 \|\| =7.85.0-1 \|\| =7.85.0-1~bpo11+1 \|\| =7.86.0-1 \|\| =7.86.0-2 \|\| =7.86.0-3 \|\| =7.87.0-1 \|\| =7.87.0-1~bpo11+1 \|\| =7.87.0-2 \|\| =7.87.0-2~bpo11+1 \|\| =7.88.1-1 \|\| =7.88.1-10 \|\| =7.88.1-11 \|\| =7.88.1-1~bpo11+1 \|\| =7.88.1-2 \|\| =7.88.1-2~exp1 \|\| =7.88.1-2~exp2 \|\| =7.88.1-2~exp3 \|\| =7.88.1-2~exp4 \|\| =7.88.1-3 \|\| =7.88.1-4 \|\| =7.88.1-5 \|\| =7.88.1-6 \|\| =7.88.1-7 \|\| =7.88.1-7~bpo11+1 \|\| =7.88.1-7~bpo11+2 \|\| =7.88.1-7~exp1 \|\| =7.88.1-8 \|\| =7.88.1-8~exp1 \|\| =7.88.1-9 \|\| =8.0.1-1~exp1 \|\| =8.10.0-1 \|\| =8.10.0-2 \|\| =8.10.1-1 \|\| =8.10.1-1~bpo12+1 \|\| =8.10.1-2 \|\| =8.11.0-1 \|\| =8.11.1-1 \|\| =8.11.1-1~bpo12+1 \|\| =8.12.0+git20250209.89ed161+ds-1 \|\| =8.12.0+git20250209.89ed161+ds-1~bpo12+1 \|\| =8.12.1-1 \|\| =8.12.1-2 \|\| =8.12.1-2~bpo12+1 \|\| =8.12.1-3 \|\| =8.12.1-3~bpo12+1 \|\| =8.13.0-1 \|\| =8.13.0-1+exp1 \|\| =8.13.0-2 \|\| =8.13.0-2+exp1 \|\| =8.13.0-3 \|\| =8.13.0-4 \|\| =8.13.0-4+exp1 \|\| =8.13.0-5 \|\| =8.13.0-5+exp1 \|\| =8.13.0-5~bpo12+1 \|\| =8.13.0~rc-1~exp1 \|\| =8.13.0~rc-1~exp2 \|\| =8.13.0~rc2-1 \|\| =8.13.0~rc2-2 \|\| =8.13.0~rc3-1 \|\| =8.13.0~rc3-1+exp1 \|\| =8.14.0-1 \|\| =8.14.0-1+exp1 \|\| =8.14.0~rc1-1+exp1 \|\| =8.14.0~rc2-1+exp1 \|\| =8.14.0~rc3-1+exp1 \|\| =8.14.1-1 \|\| =8.14.1-1~bpo12+1 \|\| =8.14.1-2 \|\| =8.14.1-2+exp1 \|\| =8.14.1-2~bpo12+1 \|\| =8.15.0-1 \|\| =8.15.0-1~bpo13+1 \|\| =8.15.0-1~exp1 \|\| =8.15.0~rc1-1exp1 \|\| =8.15.0~rc2-1~exp1 \|\| =8.15.0~rc3-1~exp1 \|\| =8.16.0-1 \|\| =8.16.0-1+exp1 \|\| =8.16.0-1~bpo13+1 \|\| =8.16.0-2 \|\| =8.16.0-3 \|\| =8.16.0-4 \|\| =8.16.0-4~bpo13+1 \|\| =8.16.0~rc1-1~exp1 \|\| =8.16.0~rc2-1 \|\| =8.16.0~rc2-2 \|\| =8.16.0~rc3-1 \|\| =8.17.0-1 \|\| =8.17.0-2 \|\| =8.17.0-3 \|\| =8.17.0~rc1-1~exp1 \|\| =8.17.0~rc2-1 \|\| =8.17.0~rc3-1 \|\| =8.18.0-1 \|\| =8.18.0-1~bpo13+1 \|\| =8.18.0-2 \|\| =8.18.0~rc1-1+exp1 \|\| =8.18.0~rc2-1 \|\| =8.18.0~rc3-1 \|\| =8.19.0-1 \|\| =8.19.0-1+exp1 \|\| =8.19.0-1~bpo13+1 \|\| =8.19.0-2 \|\| =8.19.0-3 \|\| =8.19.0-3+exp1 \|\| =8.19.0-3+exp2 \|\| =8.19.0~rc1-1~exp1 \|\| =8.19.0~rc2-1 \|\| =8.19.0~rc2-2 \|\| =8.19.0~rc3-1 \|\| =8.2.1-1 \|\| =8.2.1-2 \|\| =8.2.1-2~bpo12+1 \|\| =8.20.0-1 \|\| =8.20.0-1+exp \|\| =8.20.0-2 \|\| =8.20.0~rc1-1+exp1 \|\| =8.20.0~rc1-1+exp2 \|\| =8.20.0~rc1-1+exp3 \|\| =8.20.0~rc2-1 \|\| =8.20.0~rc2-1+exp1 \|\| =8.20.0~rc3-1 \|\| =8.20.0~rc3-1+exp1 \|\| =8.3.0-1 \|\| =8.3.0-2 \|\| =8.3.0-2~bpo12+1 \|\| =8.3.0-2~exp1 \|\| =8.3.0-3 \|\| =8.4.0-1 \|\| =8.4.0-2 \|\| =8.4.0-2~bpo12+1 \|\| =8.5.0-1 \|\| =8.5.0-1+exp1 \|\| =8.5.0-2 \|\| =8.5.0-2+exp1 \|\| =8.5.0-2~bpo12+1 \|\| =8.6.0-1 \|\| =8.6.0-1.1 \|\| =8.6.0-2 \|\| =8.6.0-3 \|\| =8.6.0-3.1 \|\| =8.6.0-3.1~exp1 \|\| =8.6.0-3.1~exp2 \|\| =8.6.0-3.2 \|\| =8.6.0-4 \|\| =8.7.1-1 \|\| =8.7.1-1+exp1 \|\| =8.7.1-2 \|\| =8.7.1-3 \|\| =8.7.1-4 \|\| =8.7.1-5 \|\| =8.7.1-5+exp1 \|\| =8.7.1-5~bpo12+1 \|\| =8.8.0-1 \|\| =8.8.0-1+exp1 \|\| =8.8.0-1+exp2 \|\| =8.8.0-1~bpo12+1 \|\| =8.8.0-2 \|\| =8.8.0-3 \|\| =8.8.0-4 \|\| =8.9.0-1 \|\| =8.9.0-2 \|\| =8.9.0-3 \|\| =8.9.1-1 \|\| =8.9.1-2 \|\| =8.9.1-2~bpo12+1	-
debian 14	curl	=8.14.1-2 \|\| =8.14.1-2+exp1 \|\| =8.15.0-1 \|\| =8.15.0-1~bpo13+1 \|\| =8.15.0-1~exp1 \|\| =8.15.0~rc1-1exp1 \|\| =8.15.0~rc2-1~exp1 \|\| =8.15.0~rc3-1~exp1 \|\| =8.16.0-1 \|\| =8.16.0-1+exp1 \|\| =8.16.0-1~bpo13+1 \|\| =8.16.0-2 \|\| =8.16.0-3 \|\| =8.16.0-4 \|\| =8.16.0-4~bpo13+1 \|\| =8.16.0~rc1-1~exp1 \|\| =8.16.0~rc2-1 \|\| =8.16.0~rc2-2 \|\| =8.16.0~rc3-1 \|\| =8.17.0-1 \|\| =8.17.0-2 \|\| =8.17.0-3 \|\| =8.17.0~rc1-1~exp1 \|\| =8.17.0~rc2-1 \|\| =8.17.0~rc3-1 \|\| =8.18.0-1 \|\| =8.18.0-1~bpo13+1 \|\| =8.18.0-2 \|\| =8.18.0~rc1-1+exp1 \|\| =8.18.0~rc2-1 \|\| =8.18.0~rc3-1 \|\| =8.19.0-1 \|\| =8.19.0-1+exp1 \|\| =8.19.0-1~bpo13+1 \|\| =8.19.0-2 \|\| =8.19.0-3 \|\| =8.19.0-3+exp1 \|\| =8.19.0-3+exp2 \|\| =8.19.0~rc1-1~exp1 \|\| =8.19.0~rc2-1 \|\| =8.19.0~rc2-2 \|\| =8.19.0~rc3-1 \|\| =8.20.0~rc1-1+exp1 \|\| =8.20.0~rc1-1+exp2 \|\| =8.20.0~rc1-1+exp3 \|\| =8.20.0~rc2-1 \|\| =8.20.0~rc2-1+exp1 \|\| =8.20.0~rc3-1 \|\| =8.20.0~rc3-1+exp1 \|\| >=0 <8.20.0-1	8.20.0-1
debian 13	curl	=8.14.1-2 \|\| =8.14.1-2+deb13u1 \|\| =8.14.1-2+deb13u2 \|\| =8.14.1-2+deb13u2~bpo13+1 \|\| =8.14.1-2+deb13u3 \|\| =8.14.1-2+exp1 \|\| =8.15.0-1 \|\| =8.15.0-1~bpo13+1 \|\| =8.15.0-1~exp1 \|\| =8.15.0~rc1-1exp1 \|\| =8.15.0~rc2-1~exp1 \|\| =8.15.0~rc3-1~exp1 \|\| =8.16.0-1 \|\| =8.16.0-1+exp1 \|\| =8.16.0-1~bpo13+1 \|\| =8.16.0-2 \|\| =8.16.0-3 \|\| =8.16.0-4 \|\| =8.16.0-4~bpo13+1 \|\| =8.16.0~rc1-1~exp1 \|\| =8.16.0~rc2-1 \|\| =8.16.0~rc2-2 \|\| =8.16.0~rc3-1 \|\| =8.17.0-1 \|\| =8.17.0-2 \|\| =8.17.0-3 \|\| =8.17.0~rc1-1~exp1 \|\| =8.17.0~rc2-1 \|\| =8.17.0~rc3-1 \|\| =8.18.0-1 \|\| =8.18.0-1~bpo13+1 \|\| =8.18.0-2 \|\| =8.18.0~rc1-1+exp1 \|\| =8.18.0~rc2-1 \|\| =8.18.0~rc3-1 \|\| =8.19.0-1 \|\| =8.19.0-1+exp1 \|\| =8.19.0-1~bpo13+1 \|\| =8.19.0-2 \|\| =8.19.0-3 \|\| =8.19.0-3+exp1 \|\| =8.19.0-3+exp2 \|\| =8.19.0~rc1-1~exp1 \|\| =8.19.0~rc2-1 \|\| =8.19.0~rc2-2 \|\| =8.19.0~rc3-1 \|\| =8.20.0-1 \|\| =8.20.0-1+exp \|\| =8.20.0-2 \|\| =8.20.0~rc1-1+exp1 \|\| =8.20.0~rc1-1+exp2 \|\| =8.20.0~rc1-1+exp3 \|\| =8.20.0~rc2-1 \|\| =8.20.0~rc2-1+exp1 \|\| =8.20.0~rc3-1 \|\| =8.20.0~rc3-1+exp1	-
rpm rhel7	curl	-	-
rpm rhel9	curl	-	-
rpm rhel10	curl	-	-
rpm rhel6	curl	-	-
rpm rhel8	curl	-	-

Aliases

1. CVE-2026-71682. NVD-2026-71683. OSV-DEBIAN-2026-71684. OSV-2026-71685. SECURITY-TRACKER-CVE-2026-7168

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.