Is CVE-2026-5545 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 0%.

What products does CVE-2026-5545 affect?

Tracked products affected include curl. Check the version you run to see whether it is affected.

How do I fix CVE-2026-5545?

Apply the vendor fix in your normal patch cycle. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2026-5545

Q: What is CVE-2026-5545?

CVE-2026-5545 is a medium-severity software vulnerability (CWE-613) with a CVSS score of 6.5. libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subseq

MEDIUM severity · CVSS 6.5 · CWE-613

6.5CVSS MEDIUM

Summary

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactLow

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Affected products we track (1)

curl

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Official patch: https://curl.se/docs/CVE-2026-5545.html ↗

Additional information

NVD record
https://curl.se/docs/CVE-2026-5545.htmlPatch
https://curl.se/docs/CVE-2026-5545.jsonAdvisory
https://hackerone.com/reports/3642555Advisory