CVE-2026-8926
ADVISORY - debianSummary
When asking curl to use a .netrc file to find credentials and at the same time specifying a URL with a username(without a password), like https://user@example.com/, curl could wrongly get and use the password for another user set in the .netrc file for that host if such a one exists and there is no match for the specified user.
- curl 8.21.0~rc2-1 [trixie] - curl (Minor issue) [bookworm] - curl (Vulnerable code not present) [bullseye] - curl (Vulnerable code not present) https://curl.se/docs/CVE-2026-8926.html Introduced with: https://github.com/curl/curl/commit/e9b9bbac22c26cf67316fa8e6c6b9e831af31949 (curl-8_11_1) Fixed by: https://github.com/curl/curl/commit/4ae1d7cc2643e4773a136395f12bc02fc6867854 (rc-8_21_0-1, curl-8_21_0)
EPSS Score: 0.0061 (0.451)
Common Weakness Enumeration (CWE)
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in