Stale Host Header Causes Cookie Leakage in libcurl
CVE-2026-6276 Published on May 13, 2026
stale custom cookie host causes cookie leak
Using libcurl, when a custom `Host:` header is first set for an HTTP request
and a second request is subsequently done using the same *easy handle* but
without the custom `Host:` header set, the second request would use stale
information and pass on cookies meant for the first host in the second
request. Leak them.
Vulnerability Analysis
CVE-2026-6276 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Products Associated with CVE-2026-6276
stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Haxx Curl. Just hit a watch button to start following.
Affected Versions
curl:- Version 8.19.0, <= 8.19.0 is affected.
- Version 8.18.0, <= 8.18.0 is affected.
- Version 8.17.0, <= 8.17.0 is affected.
- Version 8.16.0, <= 8.16.0 is affected.
- Version 8.15.0, <= 8.15.0 is affected.
- Version 8.14.1, <= 8.14.1 is affected.
- Version 8.14.0, <= 8.14.0 is affected.
- Version 8.13.0, <= 8.13.0 is affected.
- Version 8.12.1, <= 8.12.1 is affected.
- Version 8.12.0, <= 8.12.0 is affected.
- Version 8.11.1, <= 8.11.1 is affected.
- Version 8.11.0, <= 8.11.0 is affected.
- Version 8.10.1, <= 8.10.1 is affected.
- Version 8.10.0, <= 8.10.0 is affected.
- Version 8.9.1, <= 8.9.1 is affected.
- Version 8.9.0, <= 8.9.0 is affected.
- Version 8.8.0, <= 8.8.0 is affected.
- Version 8.7.1, <= 8.7.1 is affected.
- Version 8.7.0, <= 8.7.0 is affected.
- Version 8.6.0, <= 8.6.0 is affected.
- Version 8.5.0, <= 8.5.0 is affected.
- Version 8.4.0, <= 8.4.0 is affected.
- Version 8.3.0, <= 8.3.0 is affected.
- Version 8.2.1, <= 8.2.1 is affected.
- Version 8.2.0, <= 8.2.0 is affected.
- Version 8.1.2, <= 8.1.2 is affected.
- Version 8.1.1, <= 8.1.1 is affected.
- Version 8.1.0, <= 8.1.0 is affected.
- Version 8.0.1, <= 8.0.1 is affected.
- Version 8.0.0, <= 8.0.0 is affected.
- Version 7.88.1, <= 7.88.1 is affected.
- Version 7.88.0, <= 7.88.0 is affected.
- Version 7.87.0, <= 7.87.0 is affected.
- Version 7.86.0, <= 7.86.0 is affected.
- Version 7.85.0, <= 7.85.0 is affected.
- Version 7.84.0, <= 7.84.0 is affected.
- Version 7.83.1, <= 7.83.1 is affected.
- Version 7.83.0, <= 7.83.0 is affected.
- Version 7.82.0, <= 7.82.0 is affected.
- Version 7.81.0, <= 7.81.0 is affected.
- Version 7.80.0, <= 7.80.0 is affected.
- Version 7.79.1, <= 7.79.1 is affected.
- Version 7.79.0, <= 7.79.0 is affected.
- Version 7.78.0, <= 7.78.0 is affected.
- Version 7.77.0, <= 7.77.0 is affected.
- Version 7.76.1, <= 7.76.1 is affected.
- Version 7.76.0, <= 7.76.0 is affected.
- Version 7.75.0, <= 7.75.0 is affected.
- Version 7.74.0, <= 7.74.0 is affected.
- Version 7.73.0, <= 7.73.0 is affected.
- Version 7.72.0, <= 7.72.0 is affected.
- Version 7.71.1, <= 7.71.1 is affected.
- Version 7.71.0, <= 7.71.0 is affected.