Using libcurl, when a custom `Host:` header is first set for an HTTP request
and a second request is subsequently done using the same *easy handle* but
without the custom `Host:` header set, the second request would use stale
information and pass on cookies meant for the first host in the second
request. Leak them.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Exploitation poc

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
curl curl unaffected
Version Status Constraints
8.19.0 affected ≤ 8.19.0
8.18.0 affected ≤ 8.18.0
8.17.0 affected ≤ 8.17.0
8.16.0 affected ≤ 8.16.0
8.15.0 affected ≤ 8.15.0
8.14.1 affected ≤ 8.14.1
8.14.0 affected ≤ 8.14.0
8.13.0 affected ≤ 8.13.0
8.12.1 affected ≤ 8.12.1
8.12.0 affected ≤ 8.12.0
8.11.1 affected ≤ 8.11.1
8.11.0 affected ≤ 8.11.0
8.10.1 affected ≤ 8.10.1
8.10.0 affected ≤ 8.10.0
8.9.1 affected ≤ 8.9.1
8.9.0 affected ≤ 8.9.0
8.8.0 affected ≤ 8.8.0
8.7.1 affected ≤ 8.7.1
8.7.0 affected ≤ 8.7.0
8.6.0 affected ≤ 8.6.0
8.5.0 affected ≤ 8.5.0
8.4.0 affected ≤ 8.4.0
8.3.0 affected ≤ 8.3.0
8.2.1 affected ≤ 8.2.1
8.2.0 affected ≤ 8.2.0
8.1.2 affected ≤ 8.1.2
8.1.1 affected ≤ 8.1.1
8.1.0 affected ≤ 8.1.0
8.0.1 affected ≤ 8.0.1
8.0.0 affected ≤ 8.0.0
7.88.1 affected ≤ 7.88.1
7.88.0 affected ≤ 7.88.0
7.87.0 affected ≤ 7.87.0
7.86.0 affected ≤ 7.86.0
7.85.0 affected ≤ 7.85.0
7.84.0 affected ≤ 7.84.0
7.83.1 affected ≤ 7.83.1
7.83.0 affected ≤ 7.83.0
7.82.0 affected ≤ 7.82.0
7.81.0 affected ≤ 7.81.0
7.80.0 affected ≤ 7.80.0
7.79.1 affected ≤ 7.79.1
7.79.0 affected ≤ 7.79.0
7.78.0 affected ≤ 7.78.0
7.77.0 affected ≤ 7.77.0
7.76.1 affected ≤ 7.76.1
7.76.0 affected ≤ 7.76.0
7.75.0 affected ≤ 7.75.0
7.74.0 affected ≤ 7.74.0
7.73.0 affected ≤ 7.73.0
7.72.0 affected ≤ 7.72.0
7.71.1 affected ≤ 7.71.1
7.71.0 affected ≤ 7.71.0

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Curl Subscribe
Libcurl Subscribe

Project Subscriptions

Vendors Products
Curl Subscribe
Libcurl Subscribe
Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8227-1 curl vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://www.openwall.com/lists/oss-security/2026/04/29/13 cve-icon
https://curl.se/docs/CVE-2026-6276.html cve-icon cve-icon cve-icon
https://curl.se/docs/CVE-2026-6276.json cve-icon cve-icon
https://hackerone.com/reports/3671818 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-6276 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-6276 cve-icon
History

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 13 May 2026 15:30:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. This can lead to libcurl incorrectly sending cookies intended for the first host to the second host, resulting in a cookie leak. This issue is categorized as an Origin Validation Error (CWE-346). Exploitation typically requires specific debugging configurations. Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.
Title curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers stale custom cookie host causes cookie leak
References

Fri, 01 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Curl
Curl libcurl
Vendors & Products Curl
Curl libcurl

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. This can lead to libcurl incorrectly sending cookies intended for the first host to the second host, resulting in a cookie leak. This issue is categorized as an Origin Validation Error (CWE-346). Exploitation typically requires specific debugging configurations.
Title curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers
Weaknesses CWE-346
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Low

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: curl

Published:

Updated: 2026-05-13T17:26:06.894Z

Reserved: 2026-04-14T14:01:54.772Z

Link: CVE-2026-6276

cve-icon Vulnrichment

Updated: 2026-05-13T09:05:37.539Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-13T13:01:56.800

Modified: 2026-05-13T18:16:20.403

Link: CVE-2026-6276

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-29T00:00:00Z

Links: CVE-2026-6276 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T11:00:13Z

Weaknesses