When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
History

Sun, 05 Jul 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-306

Sat, 04 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-306

Fri, 03 Jul 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 03 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl curl
Vendors & Products Curl
Curl curl

Fri, 03 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 03 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Description When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against `proxyA` using Digest auth, a subsequent transfer routed through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended solely for `proxyA`.
Title env-set cross-proxy Digest auth state leak
References

cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published: 2026-07-03T06:16:06.376Z

Updated: 2026-07-03T06:16:06.376Z

Reserved: 2026-05-19T08:12:08.842Z

Link: CVE-2026-8927

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.