cross-proxy Digest auth state leak
Summary
| CVE | CVE-2026-7168 |
|---|---|
| State | PUBLISHED |
| Assigner | curl |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-13 13:01:57 UTC |
| Updated | 2026-05-14 14:12:48 UTC |
| Description | Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS: 0.000790000 probability, percentile 0.231610000 (date 2026-05-25)
Problem Types: CWE-294 | CWE-294 Authentication Bypass by Capture-replay
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | ADP | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Curl | Curl | affected 8.19.0 8.19.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.18.0 8.18.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.17.0 8.17.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.16.0 8.16.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.15.0 8.15.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.14.1 8.14.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.14.0 8.14.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.13.0 8.13.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.12.1 8.12.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.12.0 8.12.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.11.1 8.11.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.11.0 8.11.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.10.1 8.10.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.10.0 8.10.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.9.1 8.9.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.9.0 8.9.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.8.0 8.8.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.7.1 8.7.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.7.0 8.7.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.6.0 8.6.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.5.0 8.5.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.4.0 8.4.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.3.0 8.3.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.2.1 8.2.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.2.0 8.2.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.1.2 8.1.2 semver | Not specified |
| CNA | Curl | Curl | affected 8.1.1 8.1.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.1.0 8.1.0 semver | Not specified |
| CNA | Curl | Curl | affected 8.0.1 8.0.1 semver | Not specified |
| CNA | Curl | Curl | affected 8.0.0 8.0.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.88.1 7.88.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.88.0 7.88.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.87.0 7.87.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.86.0 7.86.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.85.0 7.85.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.84.0 7.84.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.83.1 7.83.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.83.0 7.83.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.82.0 7.82.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.81.0 7.81.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.80.0 7.80.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.79.1 7.79.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.79.0 7.79.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.78.0 7.78.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.77.0 7.77.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.76.1 7.76.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.76.0 7.76.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.75.0 7.75.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.74.0 7.74.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.73.0 7.73.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.72.0 7.72.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.71.1 7.71.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.71.0 7.71.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.70.0 7.70.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.69.1 7.69.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.69.0 7.69.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.68.0 7.68.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.67.0 7.67.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.66.0 7.66.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.65.3 7.65.3 semver | Not specified |
| CNA | Curl | Curl | affected 7.65.2 7.65.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.65.1 7.65.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.65.0 7.65.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.64.1 7.64.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.64.0 7.64.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.63.0 7.63.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.62.0 7.62.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.61.1 7.61.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.61.0 7.61.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.60.0 7.60.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.59.0 7.59.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.58.0 7.58.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.57.0 7.57.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.56.1 7.56.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.56.0 7.56.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.55.1 7.55.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.55.0 7.55.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.54.1 7.54.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.54.0 7.54.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.53.1 7.53.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.53.0 7.53.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.52.1 7.52.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.52.0 7.52.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.51.0 7.51.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.50.3 7.50.3 semver | Not specified |
| CNA | Curl | Curl | affected 7.50.2 7.50.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.50.1 7.50.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.50.0 7.50.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.49.1 7.49.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.49.0 7.49.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.48.0 7.48.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.47.1 7.47.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.47.0 7.47.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.46.0 7.46.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.45.0 7.45.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.44.0 7.44.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.43.0 7.43.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.42.1 7.42.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.42.0 7.42.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.41.0 7.41.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.40.0 7.40.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.39.0 7.39.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.38.0 7.38.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.37.1 7.37.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.37.0 7.37.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.36.0 7.36.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.35.0 7.35.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.34.0 7.34.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.33.0 7.33.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.32.0 7.32.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.31.0 7.31.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.30.0 7.30.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.29.0 7.29.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.28.1 7.28.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.28.0 7.28.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.27.0 7.27.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.26.0 7.26.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.25.0 7.25.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.24.0 7.24.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.23.1 7.23.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.23.0 7.23.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.22.0 7.22.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.21.7 7.21.7 semver | Not specified |
| CNA | Curl | Curl | affected 7.21.6 7.21.6 semver | Not specified |
| CNA | Curl | Curl | affected 7.21.5 7.21.5 semver | Not specified |
| CNA | Curl | Curl | affected 7.21.4 7.21.4 semver | Not specified |
| CNA | Curl | Curl | affected 7.21.3 7.21.3 semver | Not specified |
| CNA | Curl | Curl | affected 7.21.2 7.21.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.21.1 7.21.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.21.0 7.21.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.20.1 7.20.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.20.0 7.20.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.19.7 7.19.7 semver | Not specified |
| CNA | Curl | Curl | affected 7.19.6 7.19.6 semver | Not specified |
| CNA | Curl | Curl | affected 7.19.5 7.19.5 semver | Not specified |
| CNA | Curl | Curl | affected 7.19.4 7.19.4 semver | Not specified |
| CNA | Curl | Curl | affected 7.19.3 7.19.3 semver | Not specified |
| CNA | Curl | Curl | affected 7.19.2 7.19.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.19.1 7.19.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.19.0 7.19.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.18.2 7.18.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.18.1 7.18.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.18.0 7.18.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.17.1 7.17.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.17.0 7.17.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.16.4 7.16.4 semver | Not specified |
| CNA | Curl | Curl | affected 7.16.3 7.16.3 semver | Not specified |
| CNA | Curl | Curl | affected 7.16.2 7.16.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.16.1 7.16.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.16.0 7.16.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.15.5 7.15.5 semver | Not specified |
| CNA | Curl | Curl | affected 7.15.4 7.15.4 semver | Not specified |
| CNA | Curl | Curl | affected 7.15.3 7.15.3 semver | Not specified |
| CNA | Curl | Curl | affected 7.15.2 7.15.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.15.1 7.15.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.15.0 7.15.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.14.1 7.14.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.14.0 7.14.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.13.2 7.13.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.13.1 7.13.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.13.0 7.13.0 semver | Not specified |
| CNA | Curl | Curl | affected 7.12.3 7.12.3 semver | Not specified |
| CNA | Curl | Curl | affected 7.12.2 7.12.2 semver | Not specified |
| CNA | Curl | Curl | affected 7.12.1 7.12.1 semver | Not specified |
| CNA | Curl | Curl | affected 7.12.0 7.12.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| curl.se/docs/CVE-2026-7168.html | 2499f714-1537-4658-8207-48ae4bb9eae9 | curl.se | Patch, Vendor Advisory |
| curl.se/docs/CVE-2026-7168.json | 2499f714-1537-4658-8207-48ae4bb9eae9 | curl.se | Vendor Advisory |
| hackerone.com/reports/3697719 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | hackerone.com | Exploit, Issue Tracking |
| www.openwall.com/lists/oss-security/2026/04/29/14 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Muhamad Arga Reksapati (en)
CNA: Daniel Stenberg (en)
There are currently no legacy QID mappings associated with this CVE.