sending old referer
Summary
| CVE | CVE-2026-9546 |
|---|---|
| State | PUBLISHED |
| Assigner | curl |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-03 07:16:25 UTC |
| Updated | 2026-07-03 07:16:25 UTC |
| Description | A vulnerability in libcurl caused the HTTP `Referer:` header to persist even when explicitly cleared. While the documentation states that passing NULL to `CURLOPT_REFERER` suppresses the header, the option failed to clear the internal state. As a result the previous referrer string was erroneously reused and sent in subsequent requests, potentially leaking sensitive information to unintended servers. |
Risk And Classification
Problem Types: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| curl.se/docs/CVE-2026-9546.html | 2499f714-1537-4658-8207-48ae4bb9eae9 | curl.se | |
| hackerone.com/reports/3754343 | 2499f714-1537-4658-8207-48ae4bb9eae9 | hackerone.com | |
| curl.se/docs/CVE-2026-9546.json | 2499f714-1537-4658-8207-48ae4bb9eae9 | curl.se | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: renjian on hackerone (en)
CNA: Daniel Stenberg (en)
There are currently no legacy QID mappings associated with this CVE.