Skip to main content

curl CVE-2026-7168

| EUVDEUVD-2026-29932 MEDIUM
Authentication Bypass by Capture-replay (CWE-294)
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 16:24 vuln.today
CVSS changed
May 13, 2026 - 16:22 NVD
5.3 (MEDIUM)
CVE Published
May 08, 2026 - 06:45 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 06:45 nvd
MEDIUM 5.3

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Cross-proxy Digest authentication state leak in curl allows remote attackers to obtain sensitive authentication credentials when curl is used with proxy authentication across multiple proxy hops. The vulnerability affects curl versions from 7.12.0 through 8.19.0 due to improper handling of Digest authentication state between proxies, enabling credential disclosure with network-level access and no authentication requirements. EPSS score of 0.03% suggests low real-world exploitation probability despite the information disclosure impact.

Technical ContextAI

curl's HTTP client library implements Digest authentication (RFC 2617), which requires stateful management of nonce values and authentication state across multiple requests. When curl routes requests through multiple proxies (proxy chaining), the authentication state-particularly the Digest nonce and related cryptographic material-may persist incorrectly across different proxy connections. The vulnerability stems from improper isolation or reuse of Digest auth context when switching between proxy endpoints. CWE classification is not specified in the input data, but the mechanism aligns with CWE-384 (Session Fixation) or CWE-613 (Insufficient Session Expiration), where authentication credentials leak between security boundaries.

RemediationAI

Upgrade curl to the first patched version released after the coordinated disclosure on April 29, 2026. As exact patched version numbers are not provided in the input data, consult curl's official advisory at https://curl.se/docs/CVE-2026-7168.html for the specific fixed version. For immediate mitigation in multi-proxy environments, disable proxy chaining and use direct proxy connections where operationally feasible, or implement proxy authentication at only the final proxy hop rather than intermediate hops. If proxy chaining is mandatory, isolate Digest authentication sessions by adding request-level nonce invalidation or by forcing HTTP Basic authentication (if acceptable security-wise) as an alternative, though this requires careful evaluation of the security trade-off. Monitor curl release notes and apply patches promptly, as the multi-proxy scenario is increasingly common in enterprise environments using HTTP-to-HTTPS bridging or multi-tier proxy architectures.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2016-0792 HIGH POC
8.8 Apr 07

Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to ex

CVE-2015-5317 HIGH
7.5 Nov 25

The Fingerprints pages in Jenkins before 1.638 and LTS before 1.625.2 might allow remote attackers to obtain sensitive j

CVE-2016-0788 CRITICAL
9.8 Apr 07

The remoting module in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed
SLES15-SP6-CHOST-BYOS-GCE Fixed

Share

CVE-2026-7168 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy