SpirityCVE

curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Curl	Curl

No data.

References

Link	Providers
https://curl.se/docs/CVE-2026-6253.html
https://curl.se/docs/CVE-2026-6253.json
https://hackerone.com/reports/3669637
https://nvd.nist.gov/vuln/detail/CVE-2026-6253
https://www.cve.org/CVERecord?id=CVE-2026-6253

History

Wed, 13 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in curl. When curl is configured to use distinct proxies for different URL schemes, a redirect from a URL using an authenticated proxy to one using an unauthenticated proxy can inadvertently expose the initial proxy's credentials. This improper credential management (CWE-522) may allow an attacker to gain unauthorized access or information by intercepting these disclosed credentials.	curl might erroneously pass on credentials for a first proxy to a second proxy. This can happen when the following conditions are true: 1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say `http://`), curl is asked to follow a redirect to a URL using another scheme (say `https://`), accessed using a second, different, proxy
Title	curl: curl: Proxy credential disclosure via redirects to unauthenticated proxies	proxy credentials leak over redirect-to proxy
References		https://curl.se/docs/CVE-2026-6253.json https://hackerone.com/reports/3669637

Fri, 01 May 2026 01:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Curl Curl curl
Vendors & Products		Curl Curl curl

Fri, 01 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in curl. When curl is configured to use distinct proxies for different URL schemes, a redirect from a URL using an authenticated proxy to one using an unauthenticated proxy can inadvertently expose the initial proxy's credentials. This improper credential management (CWE-522) may allow an attacker to gain unauthorized access or information by intercepting these disclosed credentials.
Title		curl: curl: Proxy credential disclosure via redirects to unauthenticated proxies
Weaknesses		CWE-201
References		https://curl.se/docs/CVE-2026-6253.html https://nvd.nist.gov/vuln/detail/CVE-2026-6253 https://www.cve.org/CVERecord?id=CVE-2026-6253
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}` threat_severity `Moderate`

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2026-05-13T08:28:03.004Z

Updated: 2026-05-13T09:05:31.000Z

Reserved: 2026-04-13T20:11:11.991Z

Link: CVE-2026-6253

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-04-29T00:00:00Z

Links: CVE-2026-6253 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object