Skip to main content

curl CVE-2026-5545

| EUVDEUVD-2026-29923 MEDIUM
Insufficient Session Expiration (CWE-613)
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 11:20 vuln.today
CVSS changed
May 13, 2026 - 18:22 NVD
6.5 (MEDIUM)
CVE Published
May 08, 2026 - 06:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Wrong reuse of HTTP Negotiate-authenticated connections in curl exposes a high-integrity-impact vulnerability where subsequent HTTP requests may inherit an authentication context they should not, potentially allowing requests to be dispatched under incorrect Negotiate (Kerberos/NTLM/SPNEGO) credentials. Affecting an extraordinarily broad version range - curl 7.10.6 through at least 8.19.0 per EUVD data - this flaw was coordinated and disclosed by curl maintainer Daniel Stenberg via oss-security on 2026-04-29 alongside three related connection-reuse CVEs. No public exploit code has been identified and no active exploitation has been confirmed; a vendor-released patch is available, with downstream fixes confirmed by Red Hat (RHSA-2026:12916) and SUSE.

Technical ContextAI

curl (CPE: cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*) implements connection pooling and reuse as a core performance optimization: rather than tearing down and re-establishing TCP/TLS connections for each request, connections are cached and reused across transfers. HTTP Negotiate authentication (RFC 4559) is a SPNEGO-based scheme that wraps Kerberos or NTLM, negotiating a session-level security context over the connection itself rather than per-request. CWE-613 (Insufficient Session Expiration) is the root cause class: when curl pools a connection that carried a Negotiate authentication handshake, it fails to properly enforce that the negotiated security context is no longer valid or applicable when the connection is later reused for a different request - effectively treating a session-bound credential exchange as perpetually reusable. This is structurally similar to the sibling CVE-2026-5773 (SMB connection reuse) and CVE-2026-4873 (TLS requirement bypass on reuse) disclosed in the same coordinated batch, suggesting a systemic pattern in curl's connection-reuse logic across protocols.

RemediationAI

The primary remediation is to upgrade curl to the patched version released by the curl project; the exact fixed version should be confirmed at https://curl.se/docs/CVE-2026-5545.html, as no specific fixed version number is independently confirmed in the available intelligence data. Red Hat Enterprise Linux users should apply RHSA-2026:12916 via standard package management; SUSE users should apply the relevant SUSE-SU advisory for their distribution version. If an immediate upgrade is not feasible in environments using HTTP Negotiate authentication, a compensating control is to disable connection reuse explicitly in curl (via CURLOPT_FORBID_REUSE set to 1L in libcurl, or --no-keepalive in the curl CLI) - note this carries a performance cost as each request will require a full connection establishment. Alternatively, avoid HTTP Negotiate authentication entirely where Kerberos or NTLM is not strictly required, substituting token-based or certificate-based auth that is not session-bound to the connection. Monitoring curl usage in environments with enterprise authentication (Active Directory, MIT Kerberos) for anomalous cross-user request patterns is advisable until patching is complete.

More in Curl

View all
CVE-2013-0249 HIGH POC
7.5 Mar 08

Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7

CVE-2015-3145 HIGH
7.5 Apr 24

The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which

CVE-2022-32221 CRITICAL POC
9.8 Dec 05

When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data t

CVE-2022-32207 CRITICAL POC
9.8 Jul 07

When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the

CVE-2018-0500 CRITICAL POC
9.8 Jul 11

Curl_smtp_escape_eob in lib/smtp.c in curl 7.54.1 to and including curl 7.60.0 has a heap-based buffer overflow that mig

CVE-2023-23914 CRITICAL POC
9.1 Feb 23

A cleartext transmission of sensitive information vulnerability exists in curl <v7.88.0 that could cause HSTS functional

CVE-2023-27534 HIGH POC
8.8 Mar 30

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to be wrongly re

CVE-2023-27533 HIGH POC
8.8 Mar 30

A vulnerability in input validation exists in curl <8.0 during communication using the TELNET protocol may allow an atta

CVE-2025-0665 HIGH POC
7.0 Feb 05

A double-close vulnerability exists in libcurl when tearing down connection channels after threaded name resolution, cau

CVE-2022-27778 HIGH POC
8.1 Jun 02

A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used

CVE-2021-22901 HIGH POC
8.1 Jun 11

curl 7.75.0 through 7.76.1 suffers from a use-after-free vulnerability resulting in already freed memory being used when

CVE-2020-8177 HIGH POC
7.8 Dec 14

curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead to

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
Container suse/manager/4.3/proxy-httpd:4.3.17.9.76.18 Container suse/manager/4.3/proxy-salt-broker:4.3.17.9.66.20 Container suse/sle-micro-rancher/5.3:latest Container suse/sle-micro-rancher/5.4:5.4.4.5.106 Container suse/sle-micro/5.3/toolbox:16.3-6.11.222 Container suse/sle-micro/5.4/toolbox:16.3-5.19.222 Container suse/sle-micro/5.5/toolbox:16.3-3.12.133 Container suse/sle-micro/base-5.5:2.0.4-5.8.271 Image SLES15-SP4-BYOS Image SLES15-SP4-BYOS-Azure Image SLES15-SP4-BYOS-EC2 Image SLES15-SP4-BYOS-GCE Image SLES15-SP4-CHOST-BYOS Image SLES15-SP4-CHOST-BYOS-Aliyun Image SLES15-SP4-CHOST-BYOS-Azure Image SLES15-SP4-CHOST-BYOS-EC2 Image SLES15-SP4-CHOST-BYOS-GCE Image SLES15-SP4-CHOST-BYOS-SAP-CCloud Image SLES15-SP4-HPC-BYOS Image SLES15-SP4-HPC-BYOS-Azure Image SLES15-SP4-HPC-BYOS-EC2 Image SLES15-SP4-HPC-BYOS-GCE Image SLES15-SP4-HPC-EC2 Image SLES15-SP4-HPC-GCE Image SLES15-SP4-Hardened-BYOS Image SLES15-SP4-Hardened-BYOS-Azure Image SLES15-SP4-Hardened-BYOS-EC2 Image SLES15-SP4-Hardened-BYOS-GCE Image SLES15-SP4-SAP-BYOS Image SLES15-SP4-SAP-BYOS-Azure Image SLES15-SP4-SAP-BYOS-EC2 Image SLES15-SP4-SAP-BYOS-GCE Image SLES15-SP4-SAP-Hardened Image SLES15-SP4-SAP-Hardened-Azure Image SLES15-SP4-SAP-Hardened-BYOS Image SLES15-SP4-SAP-Hardened-BYOS-Azure Image SLES15-SP4-SAP-Hardened-BYOS-EC2 Image SLES15-SP4-SAP-Hardened-BYOS-GCE Image SLES15-SP4-SAP-Hardened-GCE Image SLES15-SP5-BYOS-Azure Image SLES15-SP5-BYOS-EC2 Image SLES15-SP5-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-Aliyun Image SLES15-SP5-CHOST-BYOS-Azure Image SLES15-SP5-CHOST-BYOS-EC2 Image SLES15-SP5-CHOST-BYOS-GCE Image SLES15-SP5-CHOST-BYOS-GDC Image SLES15-SP5-CHOST-BYOS-SAP-CCloud Image SLES15-SP5-EC2 Image SLES15-SP5-GCE Image SLES15-SP5-HPC-BYOS-Azure Image SLES15-SP5-HPC-BYOS-EC2 Image SLES15-SP5-HPC-BYOS-GCE Image SLES15-SP5-Hardened-BYOS-Azure Image SLES15-SP5-Hardened-BYOS-EC2 Image SLES15-SP5-Hardened-BYOS-GCE Image SLES15-SP5-SAP-Azure-3P Image SLES15-SP5-SAP-BYOS-Azure Image SLES15-SP5-SAP-BYOS-EC2 Image SLES15-SP5-SAP-BYOS-GCE Image SLES15-SP5-SAP-Hardened-Azure Image SLES15-SP5-SAP-Hardened-BYOS-Azure Image SLES15-SP5-SAP-Hardened-BYOS-EC2 Image SLES15-SP5-SAP-Hardened-BYOS-GCE Image SLES15-SP5-SAP-Hardened-GCE Affected
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.172 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.155 Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.168 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.139 Container suse/sl-micro/6.0/toolbox:13.2-9.105 Image SL-Micro Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.102 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.127 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.116 Affected
Container suse/sl-micro/6.1/base-os-container:2.2.1-5.126 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected

Share

CVE-2026-5545 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy