CVE-2026-11856
ADVISORY - debianSummary
Successfully using libcurl to do a transfer to a specific HTTP origin (hostA) with Digest authentication and then changing the origin to a different one (hostB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Authorization: header field meant for hostA, to hostB.
- curl 8.21.0~rc3-1 [trixie] - curl (Minor issue) [bookworm] - curl (Minor issue; needs Digest auth + libcurl handle reuse across origins) [bullseye] - curl (Minor issue; needs Digest auth + libcurl handle reuse across origins) https://curl.se/docs/CVE-2026-11856.html Introduced with: https://github.com/curl/curl/commit/334d78cd18a7310144383929bdcef34ffbf6159b (curl-7_10_6) Fixed by: https://github.com/curl/curl/commit/5c6b4880357ab3e72967c1c45cae0f96ffabc535 (rc-8_21_0-3, curl-8_21_0)
EPSS Score: 0.01064 (0.607)
Common Weakness Enumeration (CWE)
Alpine
CREATED
UPDATED
ADVISORY IDCVE-2026-11856
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Debian
CREATED
UPDATED
ADVISORY IDCVE-2026-11856
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-11856
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/Amediumminimos
CREATED
UPDATED
ADVISORY ID
MINI-mhj4-jp68-cpm2
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-pmx3-xcpx-8ggp
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-