Fluid Attacks Database

Description

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say http://), curl is asked to follow a redirect to a URL using another scheme (say https://), accessed using a second, different, proxy

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	curl	-	-
rpm rhel10	rust	-	-
rpm rhel10	curl	-	-
rpm rhel8	curl	-	-
rpm rhel6	curl	-	-
rpm rhel7	curl	-	-
rpm rhel10	snphost	-	-
rpm rhel9	snphost	-	-
rpm rhel9	rust	-	-
rpm rhel10	s390utils	-	-

1-10 of 17

Aliases

1. CVE-2026-62532. NVD-2026-62533. OSV-2026-62534. OSV-DEBIAN-2026-62535. SECURITY-TRACKER-CVE-2026-6253

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.