CVE-2026-8927

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/07/2026
Last modified:
03/07/2026

Description

When reusing a libcurl handle for sequential transfers driven by<br /> environment-variable proxy configuration, libcurl fails to clear the proxy<br /> authentication state between requests. Specifically, if the initial transfer<br /> authenticates against `proxyA` using Digest auth, a subsequent transfer routed<br /> through `proxyB` erroneously leaks the `Proxy-Authorization:` header intended<br /> solely for `proxyA`.

Impact