CVE-2026-9547
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
03/07/2026
Last modified:
03/07/2026
Description
When a libcurl-based application performs transfers via `SCP://` or `SFTP://`<br />
and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an<br />
untrusted server. This vulnerability occurs when a server presents a host key<br />
type that does not match the specific key type already recorded for that host<br />
in the `known_hosts` file. Instead of rejecting the mismatch, the callback<br />
mechanism fails to properly enforce the restriction, allowing the connection<br />
to succeed without warning and risking a potential man-in-the-middle attack.



