CVE-2026-3783

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://curl.se/docs/CVE-2026-3783.html	Patch Vendor Advisory
https://curl.se/docs/CVE-2026-3783.json	Vendor Advisory
https://hackerone.com/reports/3583983	Exploit Issue Tracking Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/03/11/2	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 11:16

Updated : 2026-03-12 14:10

NVD link : CVE-2026-3783

Mitre link : CVE-2026-3783

CVE.ORG link : CVE-2026-3783

JSON object : View

Products Affected

haxx

curl

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2026-3783", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-11T11:16:00.080", "references": [{"url": "https://curl.se/docs/CVE-2026-3783.html", "tags": ["Patch", "Vendor Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://curl.se/docs/CVE-2026-3783.json", "tags": ["Vendor Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "https://hackerone.com/reports/3583983", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "2499f714-1537-4658-8207-48ae4bb9eae9"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/11/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer\nperforms a redirect to a second URL, curl could leak that token to the second\nhostname under some circumstances.\n\nIf the hostname that the first request is redirected to has information in the\nused .netrc file, with either of the `machine` or `default` keywords, curl\nwould pass on the bearer token set for the first host also to the second one."}, {"lang": "es", "value": "Cuando se utiliza un token portador OAuth2 para una transferencia HTTP(S), y esa transferencia realiza una redirecci\u00f3n a una segunda URL, curl podr\u00eda filtrar ese token al segundo nombre de host bajo algunas circunstancias.\n\nSi el nombre de host al que se redirige la primera solicitud tiene informaci\u00f3n en el archivo .netrc utilizado, con cualquiera de las palabras clave 'machine' o 'default', curl pasar\u00eda el token portador establecido para el primer host tambi\u00e9n al segundo."}], "lastModified": "2026-03-12T14:10:37.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "742F398A-5BE6-4B1A-BBE6-2A5FB57B8B3E", "versionEndExcluding": "8.19.0", "versionStartIncluding": "7.33.0"}], "operator": "OR"}]}], "sourceIdentifier": "2499f714-1537-4658-8207-48ae4bb9eae9"}