CVE-2026-5545
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
13/05/2026
Last modified:
13/05/2026
Description
libcurl might in some circumstances reuse the wrong connection when asked to<br />
do an authenticated HTTP(S) request after a Negotiate-authenticated one, when<br />
both use the same host.<br />
<br />
libcurl features a pool of recent connections so that subsequent requests can<br />
reuse an existing connection to avoid overhead.<br />
<br />
When reusing a connection a range of criteria must be met. Due to a logical<br />
error in the code, a request that was issued by an application could<br />
wrongfully reuse an existing connection to the same server that was<br />
authenticated using different credentials.<br />
<br />
An application that first uses Negotiate authentication to a server with<br />
`user1:password1` and then does another operation to the same server asking<br />
for any authentication method but for `user2:password2` (while the previous<br />
connection is still alive) - the second request gets confused and wrongly<br />
reuses the same connection and sends the new request over that connection<br />
thinking it uses a mix of user1&#39;s and user2&#39;s credentials when it is in fact<br />
still using the connection authenticated for user1...
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* | 7.10.6 (including) | 8.20.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



