Skip to main content

curl CVE-2026-7009

| EUVDEUVD-2026-29931 MEDIUM
Improper Certificate Validation (CWE-295)
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 16:24 vuln.today
CVSS changed
May 13, 2026 - 16:22 NVD
5.3 (MEDIUM)
CVE Published
May 08, 2026 - 06:45 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 06:45 nvd
MEDIUM 5.3

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

OCSP stapling validation bypass in curl 8.17.0-8.19.0 allows remote attackers to obtain sensitive certificate validation information when curl uses Apple SecTrust for TLS connections, potentially enabling man-in-the-middle attacks by bypassing server certificate revocation checks.

Technical ContextAI

OCSP (Online Certificate Status Protocol) stapling is a TLS extension that allows servers to provide signed revocation status within the handshake, reducing client latency and privacy leakage. Curl integrates with the underlying OS certificate validation framework-on macOS and iOS, this is Apple SecTrust. The vulnerability resides in curl's handling of OCSP stapling responses when SecTrust is the active TLS backend. The issue allows an attacker-controlled server or man-in-the-middle to supply invalid or missing OCSP stapling data that curl fails to validate correctly, bypassing the intended revocation status check. This is an information disclosure vulnerability (CWE class not specified in data, but consistent with weak cryptographic validation) that affects curl's certificate pinning and revocation verification logic on Apple platforms.

RemediationAI

Upgrade to curl version 8.20.0 or later (vendor patch confirmed in curl security advisory). Users unable to upgrade immediately should: disable OCSP stapling validation if the application supports it (trade-off: reduces revocation checking coverage), or restrict TLS connections to pinned certificate hashes to mitigate man-in-the-middle risk. Administrators should prioritize patching for applications running on macOS/iOS in high-security environments (financial, healthcare, enterprise); lower priority for consumer applications or non-Apple platforms. Consult curl.se/docs/CVE-2026-7009.html and https://www.openwall.com/lists/oss-security/2026/04/29 for vendor guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed
SLES15-SP6-CHOST-BYOS-GCE Fixed

Share

CVE-2026-7009 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy