libcurl Header Leak: Digest Auth Reused Across Origins
CVE-2026-11856 Published on July 3, 2026

cross-origin Digest auth state leak
Successfully using libcurl to do a transfer to a specific HTTP origin (`hostA`) with **Digest** authentication and then changing the origin to a different one (`hostB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the `Authorization:` header field meant for `hostA`, to `hostB`.

NVD


Products Associated with CVE-2026-11856

Want to know whenever a new CVE is published for Haxx Curl? stack.watch will email you.

 

Affected Versions

curl: