Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

libcurl 7.71.0 < 8.20.0 Cookie Leak via Stale Host Header

🗓️ 01 May 2026 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 5 Views

Libcurl 7.71.0–8.20.0 has a cookie leak when reusing a connection with a stale Host header.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-6276
13 May 202608:28
attackerkb
AlpineLinux		CVE-2026-6276
13 May 202608:28
alpinelinux
Circl		CVE-2026-6276
29 Apr 202607:00
circl
CNNVD		libcurl 安全漏洞
13 May 202600:00
cnnvd
CVE		CVE-2026-6276
13 May 202608:28
cve
Cvelist		CVE-2026-6276 stale custom cookie host causes cookie leak
13 May 202608:28
cvelist
Debian CVE		CVE-2026-6276
13 May 202608:28
debiancve
EUVD		EUVD-2026-29928
13 May 202608:28
euvd
Hacker One		curl: CVE-2026-6276: stale custom cookie host causes cookie leak
14 Apr 202605:45
hackerone
Microsoft CVE		stale custom cookie host causes cookie leak
14 May 202608:01
mscve
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(311420);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/15");

  script_cve_id("CVE-2026-6276");
  script_xref(name:"IAVA", value:"2026-A-0397");

  script_name(english:"libcurl 7.71.0 < 8.20.0 Cookie Leak via Stale Host Header");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has a program that is affected by a cookie leak vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of libcurl installed on the remote host is 7.71.0 prior to 8.20.0. It is, therefore, affected by
a cookie leak vulnerability:

  - When using the same connection handle for multiple HTTP requests, if a custom Host: header is removed
    in a subsequent request, the second request would use stale information and pass on cookies meant for
    the first host in the second request. This primarily affects clear text HTTP transfers, as HTTPS
    connections require proper SNI configuration making the vulnerability less exploitable.
    (CVE-2026-6276)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://curl.se/docs/CVE-2026-6276.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade libcurl to version 8.20.0 or later");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-6276");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/04/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/01");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:haxx:libcurl");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("libcurl_nix_installed.nbin", "libcurl_win_installed.nbin");
  script_require_keys("installed_sw/libcurl");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'libcurl', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints': [
        {'min_version': '7.71.0', 'fixed_version': '8.20.0'}
      ]
    }
  ]
};

var res = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_HOLE, check_backporting:TRUE);
vdf::handle_check_and_report_errors(vdf_result:res);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.17.5
EPSS0.00013
SSVC
libcurl 7.71.0libcurl 8.20.0cookie leakstale host headershared connectionclear text http
5