Vulners
Lucene search
Curl 7.10.6 < 8.19.0 Authentication Bypass
| Reporter | Title | Published | Views | Family All 95 |
|---|---|---|---|---|
 | curl -- Multiple vulnerabilties | 11 Mar 202600:00 | – | freebsd |
 | CVE-2026-1965 | 11 Mar 202610:08 | – | attackerkb |
 | CVE-2026-1965 | 11 Mar 202610:08 | – | alpinelinux |
 | CVE-2026-1965 affecting package curl for versions less than 8.11.1-6 | 16 Apr 202602:25 | – | cbl_mariner |
 | CVE-2026-1965 | 11 Mar 202606:56 | – | circl |
 | curl 安全漏洞 | 11 Mar 202600:00 | – | cnnvd |
 | CVE-2026-1965 | 11 Mar 202610:08 | – | cve |
 | CVE-2026-1965 bad reuse of HTTP Negotiate connection | 11 Mar 202610:08 | – | cvelist |
 | CVE-2026-1965 | 11 Mar 202610:08 | – | debiancve |
 | EUVD-2026-11135 | 11 Mar 202612:31 | – | euvd |
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(302776);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/08");
script_cve_id("CVE-2026-1965");
script_xref(name:"IAVA", value:"2026-A-0237-S");
script_name(english:"Curl 7.10.6 < 8.19.0 Authentication Bypass");
script_set_attribute(attribute:"synopsis", value:
"The remote host has a program that is affected by an authentication bypass vulnerability");
script_set_attribute(attribute:"description", value:
"The version of curl installed on the remote host is 7.10.6 prior to 8.19.0. It is, therefore, affected by
an authentication bypass vulnerability:
- libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated
HTTP or HTTPS request. libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead. When reusing a connection a range of criterion must
first be met. Due to a logical error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was authenticated using different
credentials. One underlying reason being that Negotiate sometimes authenticates *connections* and not
*requests*, contrary to how HTTP is designed to work. An application that allows Negotiate authentication
to a server (that responds wanting Negotiate) with `user1:password1` and then does another operation to
the same server also using Negotiate but with `user2:password2` (while the previous connection is still
alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate
negotiation is already made, it just sends the request over that connection thinking it uses the user2
credentials when it is in fact still using the connection authenticated for user1... The set of
authentication methods to use is set with `CURLOPT_HTTPAUTH`. Applications can disable libcurl's reuse of
connections and thus mitigate this problem, by using one of the following libcurl options to alter how
connections are or are not reused: `CURLOPT_FRESH_CONNECT`, `CURLOPT_MAXCONNECTS` and
`CURLMOPT_MAX_HOST_CONNECTIONS` (if using the curl_multi API). (CVE-2026-1965)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://curl.se/docs/CVE-2026-1965.html");
script_set_attribute(attribute:"solution", value:
"Upgrade Curl to version 8.19.0 or later");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-1965");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/03/11");
script_set_attribute(attribute:"patch_publication_date", value:"2026/03/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"asset_categories", value:"component");
script_set_attribute(attribute:"cpe", value:"cpe:/a:haxx:curl");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("curl_win_installed.nbin", "curl_nix_installed.nbin");
script_require_keys("installed_sw/Curl");
exit(0);
}
include('vdf.inc');
# @tvdl-content
var vuln_data = {
'metadata': {'spec_version': '1.0'},
'checks': [
{
'product': {'name': 'Curl', 'type': 'app'},
'check_algorithm': 'default',
'constraints': [
{'min_version': '7.10.6', 'fixed_version': '8.19.0'}
]
}
]
};
var res = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING, check_backporting:TRUE);
vdf::handle_check_and_report_errors(vdf_result:res);
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 May 2026 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.16.5
EPSS0.00073
SSVC