SpirityCVE

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Curl	Curl

No data.

References

Link	Providers
https://www.spirityenterprise.com/virtual-ciso
https://curl.se/docs/CVE-2026-4873.html
https://curl.se/docs/CVE-2026-4873.json
https://hackerone.com/reports/3621851
https://nvd.nist.gov/vuln/detail/CVE-2026-4873
https://www.cve.org/CVERecord?id=CVE-2026-4873

History

Wed, 13 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in curl. A remote attacker could exploit this by initiating an unencrypted connection (via IMAP, SMTP, or POP3) and then making a subsequent request to the same host that requires Transport Layer Security (TLS). Due to incorrect connection reuse, the subsequent request would bypass the TLS requirement, leading to the transmission of sensitive information in cleartext. This vulnerability, categorized as Cleartext Transmission of Sensitive Information (CWE-319), results in information disclosure.	A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.
Title	curl: curl: Information disclosure due to incorrect TLS connection reuse	connection reuse ignores TLS requirement
References		https://curl.se/docs/CVE-2026-4873.json https://hackerone.com/reports/3621851

Fri, 01 May 2026 01:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Curl Curl curl
Vendors & Products		Curl Curl curl

Fri, 01 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in curl. A remote attacker could exploit this by initiating an unencrypted connection (via IMAP, SMTP, or POP3) and then making a subsequent request to the same host that requires Transport Layer Security (TLS). Due to incorrect connection reuse, the subsequent request would bypass the TLS requirement, leading to the transmission of sensitive information in cleartext. This vulnerability, categorized as Cleartext Transmission of Sensitive Information (CWE-319), results in information disclosure.
Title		curl: curl: Information disclosure due to incorrect TLS connection reuse
Weaknesses		CWE-319
References		https://curl.se/docs/CVE-2026-4873.html https://nvd.nist.gov/vuln/detail/CVE-2026-4873 https://www.cve.org/CVERecord?id=CVE-2026-4873
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}` threat_severity `Moderate`

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2026-05-13T08:27:04.538Z

Updated: 2026-05-13T09:05:12.559Z

Reserved: 2026-03-26T05:38:02.098Z

Link: CVE-2026-4873

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-04-29T00:00:00Z

Links: CVE-2026-4873 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object