Skip to main content

curl CVE-2026-12064

| EUVDEUVD-2026-41502 HIGH
Improper Certificate Validation (CWE-295)
7.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.4 HIGH

Requires an active MITM position plus a specific non-default invocation (AC:H); no attacker auth (PR:N); defeated host verification exposes both intercepted data (C:H) and tampering (I:H), with no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jul 06, 2026 - 21:49 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:49 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:47 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:47 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 19:22 NVD
7.5 (HIGH)
Analysis Generated
Jun 24, 2026 - 18:31 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

SSH host-key verification bypass in curl/libcurl (versions through 8.20.0) lets a network man-in-the-middle silently impersonate an SFTP/SCP server when a user invokes curl with a schemeless URL plus '--proto-default sftp' (or scp). In this specific invocation the command-line tool layer misidentifies the scheme and skips setting CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS, while libcurl still honors CURLOPT_DEFAULT_PROTOCOL and completes the connection, so curl connects to an unverified host without any error. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position as MITM on SSH path
Delivery
Wait for curl schemeless '--proto-default sftp/scp' call
Exploit
Host-key verification silently skipped
Execution
Present spoofed SFTP/SCP server
Impact
Intercept credentials and tamper with transferred data

Vulnerability AssessmentAI

Exploitation Exploitation requires all of: (1) the victim invoking curl with a schemeless URL combined with '--proto-default sftp' or '--proto-default scp' (equivalently CURLOPT_DEFAULT_PROTOCOL set to sftp/scp) - this exact non-default invocation is the trigger; (2) an active man-in-the-middle position on the SSH connection path to impersonate the SFTP/SCP server; and (3) the victim using SFTP/SCP transfers at all. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real-but-conditional integrity risk rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the network path (e.g. rogue Wi-Fi, ARP/DNS spoofing, or a compromised upstream hop) waits for a script or user that runs 'curl --proto-default sftp user@host/path' with a schemeless target. …
Remediation Upgrade to a fixed curl/libcurl release as published in the vendor advisory at https://curl.se/docs/CVE-2026-12064.html and the oss-security announcement at https://seclists.org/oss-sec/2026/q2/1012 - no vendor-released patch version is stated in the provided data, so confirm the exact fixed version directly from the curl.se advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit curl/libcurl deployments and scripts to identify usage of '--proto-default sftp' or '--proto-default scp' flags with schemeless URLs; document inventory by criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Curl

View all
CVE-2013-0249 HIGH POC
7.5 Mar 08

Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7

CVE-2015-3145 HIGH
7.5 Apr 24

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which

CVE-2022-32221 CRITICAL POC
9.8 Dec 05

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t

CVE-2022-32207 CRITICAL POC
9.8 Jul 07

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the

CVE-2018-0500 CRITICAL POC
9.8 Jul 11

Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that mig

CVE-2023-23914 CRITICAL POC
9.1 Feb 23

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functional

CVE-2023-27534 HIGH POC
8.8 Mar 30

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly re

CVE-2023-27533 HIGH POC
8.8 Mar 30

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an atta

CVE-2025-0665 HIGH POC
7.0 Feb 05

A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, cau

CVE-2022-27778 HIGH POC
8.1 Jun 02

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used

CVE-2021-22901 HIGH POC
8.1 Jun 11

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when

CVE-2020-8177 HIGH POC
7.8 Dec 14

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead to

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

CVE-2026-12064 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy