Curl Credential Leak via Proxy Chain Redirect
CVE-2026-6253 Published on May 13, 2026
proxy credentials leak over redirect-to proxy
curl might erroneously pass on credentials for a first proxy to a second
proxy.
This can happen when the following conditions are true:
1. curl is setup to use specific different proxies for different URL schemes
2. the first proxy needs credentials
3. the second proxy uses no credentials
4. while using the first proxy (using say `http://`), curl is asked to follow
a redirect to a URL using another scheme (say `https://`), accessed using a
second, different, proxy
Vulnerability Analysis
CVE-2026-6253 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-6253. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH
Products Associated with CVE-2026-6253
stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Haxx Curl. Just hit a watch button to start following.
Affected Versions
curl:- Version 8.19.0, <= 8.19.0 is affected.
- Version 8.18.0, <= 8.18.0 is affected.
- Version 8.17.0, <= 8.17.0 is affected.
- Version 8.16.0, <= 8.16.0 is affected.
- Version 8.15.0, <= 8.15.0 is affected.
- Version 8.14.1, <= 8.14.1 is affected.
- Version 8.14.0, <= 8.14.0 is affected.
- Version 8.13.0, <= 8.13.0 is affected.
- Version 8.12.1, <= 8.12.1 is affected.
- Version 8.12.0, <= 8.12.0 is affected.
- Version 8.11.1, <= 8.11.1 is affected.
- Version 8.11.0, <= 8.11.0 is affected.
- Version 8.10.1, <= 8.10.1 is affected.
- Version 8.10.0, <= 8.10.0 is affected.
- Version 8.9.1, <= 8.9.1 is affected.
- Version 8.9.0, <= 8.9.0 is affected.
- Version 8.8.0, <= 8.8.0 is affected.
- Version 8.7.1, <= 8.7.1 is affected.
- Version 8.7.0, <= 8.7.0 is affected.
- Version 8.6.0, <= 8.6.0 is affected.
- Version 8.5.0, <= 8.5.0 is affected.
- Version 8.4.0, <= 8.4.0 is affected.
- Version 8.3.0, <= 8.3.0 is affected.
- Version 8.2.1, <= 8.2.1 is affected.
- Version 8.2.0, <= 8.2.0 is affected.
- Version 8.1.2, <= 8.1.2 is affected.
- Version 8.1.1, <= 8.1.1 is affected.
- Version 8.1.0, <= 8.1.0 is affected.
- Version 8.0.1, <= 8.0.1 is affected.
- Version 8.0.0, <= 8.0.0 is affected.
- Version 7.88.1, <= 7.88.1 is affected.
- Version 7.88.0, <= 7.88.0 is affected.
- Version 7.87.0, <= 7.87.0 is affected.
- Version 7.86.0, <= 7.86.0 is affected.
- Version 7.85.0, <= 7.85.0 is affected.
- Version 7.84.0, <= 7.84.0 is affected.
- Version 7.83.1, <= 7.83.1 is affected.
- Version 7.83.0, <= 7.83.0 is affected.
- Version 7.82.0, <= 7.82.0 is affected.
- Version 7.81.0, <= 7.81.0 is affected.
- Version 7.80.0, <= 7.80.0 is affected.
- Version 7.79.1, <= 7.79.1 is affected.
- Version 7.79.0, <= 7.79.0 is affected.
- Version 7.78.0, <= 7.78.0 is affected.
- Version 7.77.0, <= 7.77.0 is affected.
- Version 7.76.1, <= 7.76.1 is affected.
- Version 7.76.0, <= 7.76.0 is affected.
- Version 7.75.0, <= 7.75.0 is affected.
- Version 7.74.0, <= 7.74.0 is affected.
- Version 7.73.0, <= 7.73.0 is affected.
- Version 7.72.0, <= 7.72.0 is affected.
- Version 7.71.1, <= 7.71.1 is affected.
- Version 7.71.0, <= 7.71.0 is affected.
- Version 7.70.0, <= 7.70.0 is affected.
- Version 7.69.1, <= 7.69.1 is affected.
- Version 7.69.0, <= 7.69.0 is affected.
- Version 7.68.0, <= 7.68.0 is affected.
- Version 7.67.0, <= 7.67.0 is affected.
- Version 7.66.0, <= 7.66.0 is affected.
- Version 7.65.3, <= 7.65.3 is affected.
- Version 7.65.2, <= 7.65.2 is affected.
- Version 7.65.1, <= 7.65.1 is affected.
- Version 7.65.0, <= 7.65.0 is affected.
- Version 7.64.1, <= 7.64.1 is affected.
- Version 7.64.0, <= 7.64.0 is affected.
- Version 7.63.0, <= 7.63.0 is affected.
- Version 7.62.0, <= 7.62.0 is affected.
- Version 7.61.1, <= 7.61.1 is affected.
- Version 7.61.0, <= 7.61.0 is affected.
- Version 7.60.0, <= 7.60.0 is affected.
- Version 7.59.0, <= 7.59.0 is affected.
- Version 7.58.0, <= 7.58.0 is affected.
- Version 7.57.0, <= 7.57.0 is affected.
- Version 7.56.1, <= 7.56.1 is affected.
- Version 7.56.0, <= 7.56.0 is affected.
- Version 7.55.1, <= 7.55.1 is affected.
- Version 7.55.0, <= 7.55.0 is affected.
- Version 7.54.1, <= 7.54.1 is affected.
- Version 7.54.0, <= 7.54.0 is affected.
- Version 7.53.1, <= 7.53.1 is affected.
- Version 7.53.0, <= 7.53.0 is affected.
- Version 7.52.1, <= 7.52.1 is affected.
- Version 7.52.0, <= 7.52.0 is affected.
- Version 7.51.0, <= 7.51.0 is affected.
- Version 7.50.3, <= 7.50.3 is affected.
- Version 7.50.2, <= 7.50.2 is affected.
- Version 7.50.1, <= 7.50.1 is affected.
- Version 7.50.0, <= 7.50.0 is affected.
- Version 7.49.1, <= 7.49.1 is affected.
- Version 7.49.0, <= 7.49.0 is affected.
- Version 7.48.0, <= 7.48.0 is affected.
- Version 7.47.1, <= 7.47.1 is affected.
- Version 7.47.0, <= 7.47.0 is affected.
- Version 7.46.0, <= 7.46.0 is affected.
- Version 7.45.0, <= 7.45.0 is affected.
- Version 7.44.0, <= 7.44.0 is affected.
- Version 7.43.0, <= 7.43.0 is affected.
- Version 7.42.1, <= 7.42.1 is affected.
- Version 7.42.0, <= 7.42.0 is affected.
- Version 7.41.0, <= 7.41.0 is affected.
- Version 7.40.0, <= 7.40.0 is affected.
- Version 7.39.0, <= 7.39.0 is affected.
- Version 7.38.0, <= 7.38.0 is affected.
- Version 7.37.1, <= 7.37.1 is affected.
- Version 7.37.0, <= 7.37.0 is affected.
- Version 7.36.0, <= 7.36.0 is affected.
- Version 7.35.0, <= 7.35.0 is affected.
- Version 7.34.0, <= 7.34.0 is affected.
- Version 7.33.0, <= 7.33.0 is affected.
- Version 7.32.0, <= 7.32.0 is affected.
- Version 7.31.0, <= 7.31.0 is affected.
- Version 7.30.0, <= 7.30.0 is affected.
- Version 7.29.0, <= 7.29.0 is affected.
- Version 7.28.1, <= 7.28.1 is affected.
- Version 7.28.0, <= 7.28.0 is affected.
- Version 7.27.0, <= 7.27.0 is affected.
- Version 7.26.0, <= 7.26.0 is affected.
- Version 7.25.0, <= 7.25.0 is affected.
- Version 7.24.0, <= 7.24.0 is affected.
- Version 7.23.1, <= 7.23.1 is affected.
- Version 7.23.0, <= 7.23.0 is affected.
- Version 7.22.0, <= 7.22.0 is affected.
- Version 7.21.7, <= 7.21.7 is affected.
- Version 7.21.6, <= 7.21.6 is affected.
- Version 7.21.5, <= 7.21.5 is affected.
- Version 7.21.4, <= 7.21.4 is affected.
- Version 7.21.3, <= 7.21.3 is affected.
- Version 7.21.2, <= 7.21.2 is affected.
- Version 7.21.1, <= 7.21.1 is affected.
- Version 7.21.0, <= 7.21.0 is affected.
- Version 7.20.1, <= 7.20.1 is affected.
- Version 7.20.0, <= 7.20.0 is affected.
- Version 7.19.7, <= 7.19.7 is affected.
- Version 7.19.6, <= 7.19.6 is affected.
- Version 7.19.5, <= 7.19.5 is affected.
- Version 7.19.4, <= 7.19.4 is affected.
- Version 7.19.3, <= 7.19.3 is affected.
- Version 7.19.2, <= 7.19.2 is affected.
- Version 7.19.1, <= 7.19.1 is affected.
- Version 7.19.0, <= 7.19.0 is affected.
- Version 7.18.2, <= 7.18.2 is affected.
- Version 7.18.1, <= 7.18.1 is affected.
- Version 7.18.0, <= 7.18.0 is affected.
- Version 7.17.1, <= 7.17.1 is affected.
- Version 7.17.0, <= 7.17.0 is affected.
- Version 7.16.4, <= 7.16.4 is affected.
- Version 7.16.3, <= 7.16.3 is affected.
- Version 7.16.2, <= 7.16.2 is affected.
- Version 7.16.1, <= 7.16.1 is affected.
- Version 7.16.0, <= 7.16.0 is affected.
- Version 7.15.5, <= 7.15.5 is affected.
- Version 7.15.4, <= 7.15.4 is affected.
- Version 7.15.3, <= 7.15.3 is affected.
- Version 7.15.2, <= 7.15.2 is affected.
- Version 7.15.1, <= 7.15.1 is affected.
- Version 7.15.0, <= 7.15.0 is affected.
- Version 7.14.1, <= 7.14.1 is affected.