{"api_version":"1","generated_at":"2026-07-07T18:15:26+00:00","cve":"CVE-2026-9079","urls":{"html":"https://cve.report/CVE-2026-9079","api":"https://cve.report/api/cve/CVE-2026-9079.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-9079","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-9079"},"summary":{"title":"stale proxy password leak","description":"libcurl had a flaw that when instructed to clear proxy authentication\ncredentials which made it not do so, leaving the old credentials around to get\nused for subsequent transfers that should not know nor use them.","state":"PUBLISHED","assigner":"curl","published_at":"2026-07-03 07:16:25","updated_at":"2026-07-07 15:05:55"},"problem_types":["CWE-522","CWE-522 Insufficiently Protected Credentials"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"9.8","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://curl.se/docs/CVE-2026-9079.json","name":"https://curl.se/docs/CVE-2026-9079.json","refsource":"2499f714-1537-4658-8207-48ae4bb9eae9","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://hackerone.com/reports/3750295","name":"https://hackerone.com/reports/3750295","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Issue Tracking","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://curl.se/docs/CVE-2026-9079.html","name":"https://curl.se/docs/CVE-2026-9079.html","refsource":"2499f714-1537-4658-8207-48ae4bb9eae9","tags":["Patch","Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-9079","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9079","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.20.0 8.20.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.19.0 8.19.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.18.0 8.18.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.17.0 8.17.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.16.0 8.16.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.15.0 8.15.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.14.1 8.14.1 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.14.0 8.14.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.13.0 8.13.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.12.1 8.12.1 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.12.0 8.12.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.11.1 8.11.1 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.11.0 8.11.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.10.1 8.10.1 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.10.0 8.10.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.9.1 8.9.1 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.9.0 8.9.0 semver","platforms":[]},{"source":"CNA","vendor":"curl","product":"curl","version":"affected 8.8.0 8.8.0 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Guancheng Li","lang":"en"},{"source":"CNA","value":"Daniel Stenberg","lang":"en"}],"nvd_cpes":[{"cve_year":"2026","cve_id":"9079","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"haxx","cpe5":"curl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"9079","cve":"CVE-2026-9079","epss":"0.002500000","percentile":"0.162450000","score_date":"2026-07-06","updated_at":"2026-07-07 00:05:10"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2026-9079","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-06T16:49:15.639683Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-06T16:49:56.248Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://hackerone.com/reports/3750295"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"curl","vendor":"curl","versions":[{"lessThanOrEqual":"8.20.0","status":"affected","version":"8.20.0","versionType":"semver"},{"lessThanOrEqual":"8.19.0","status":"affected","version":"8.19.0","versionType":"semver"},{"lessThanOrEqual":"8.18.0","status":"affected","version":"8.18.0","versionType":"semver"},{"lessThanOrEqual":"8.17.0","status":"affected","version":"8.17.0","versionType":"semver"},{"lessThanOrEqual":"8.16.0","status":"affected","version":"8.16.0","versionType":"semver"},{"lessThanOrEqual":"8.15.0","status":"affected","version":"8.15.0","versionType":"semver"},{"lessThanOrEqual":"8.14.1","status":"affected","version":"8.14.1","versionType":"semver"},{"lessThanOrEqual":"8.14.0","status":"affected","version":"8.14.0","versionType":"semver"},{"lessThanOrEqual":"8.13.0","status":"affected","version":"8.13.0","versionType":"semver"},{"lessThanOrEqual":"8.12.1","status":"affected","version":"8.12.1","versionType":"semver"},{"lessThanOrEqual":"8.12.0","status":"affected","version":"8.12.0","versionType":"semver"},{"lessThanOrEqual":"8.11.1","status":"affected","version":"8.11.1","versionType":"semver"},{"lessThanOrEqual":"8.11.0","status":"affected","version":"8.11.0","versionType":"semver"},{"lessThanOrEqual":"8.10.1","status":"affected","version":"8.10.1","versionType":"semver"},{"lessThanOrEqual":"8.10.0","status":"affected","version":"8.10.0","versionType":"semver"},{"lessThanOrEqual":"8.9.1","status":"affected","version":"8.9.1","versionType":"semver"},{"lessThanOrEqual":"8.9.0","status":"affected","version":"8.9.0","versionType":"semver"},{"lessThanOrEqual":"8.8.0","status":"affected","version":"8.8.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Guancheng Li"},{"lang":"en","type":"remediation developer","value":"Daniel Stenberg"}],"descriptions":[{"lang":"en","value":"libcurl had a flaw that when instructed to clear proxy authentication\ncredentials which made it not do so, leaving the old credentials around to get\nused for subsequent transfers that should not know nor use them."}],"problemTypes":[{"descriptions":[{"description":"CWE-522 Insufficiently Protected Credentials","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-07-03T06:16:51.127Z","orgId":"2499f714-1537-4658-8207-48ae4bb9eae9","shortName":"curl"},"references":[{"name":"json","url":"https://curl.se/docs/CVE-2026-9079.json"},{"name":"www","url":"https://curl.se/docs/CVE-2026-9079.html"},{"name":"issue","url":"https://hackerone.com/reports/3750295"}],"title":"stale proxy password leak"}},"cveMetadata":{"assignerOrgId":"2499f714-1537-4658-8207-48ae4bb9eae9","assignerShortName":"curl","cveId":"CVE-2026-9079","datePublished":"2026-07-03T06:16:51.127Z","dateReserved":"2026-05-20T12:59:41.444Z","dateUpdated":"2026-07-06T16:49:56.248Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-03 07:16:25","lastModifiedDate":"2026-07-07 15:05:55","problem_types":["CWE-522","CWE-522 Insufficiently Protected Credentials"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-06T16:49:15.639683Z","id":"CVE-2026-9079","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*","versionStartIncluding":"8.8.0","versionEndExcluding":"8.21.0","matchCriteriaId":"9238ECE6-3CA5-48A9-B558-DF2BC6CE04AD"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"9079","Ordinal":"1","Title":"stale proxy password leak","CVE":"CVE-2026-9079","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"9079","Ordinal":"1","NoteData":"libcurl had a flaw that when instructed to clear proxy authentication\ncredentials which made it not do so, leaving the old credentials around to get\nused for subsequent transfers that should not know nor use them.","Type":"Description","Title":"stale proxy password leak"}]}}}