CVE-2026-8927
ADVISORY - debianSummary
When reusing a libcurl handle for sequential transfers driven by environment-variable proxy configuration, libcurl fails to clear the proxy authentication state between requests. Specifically, if the initial transfer authenticates against proxyA using Digest auth, a subsequent transfer routed through proxyB erroneously leaks the Proxy-Authorization: header intended solely for proxyA.
- curl 8.21.0~rc2-1 [trixie] - curl (Minor issue) [bookworm] - curl (Minor issue; libcurl env-proxy Digest auth handle reuse) [bullseye] - curl (Minor issue; libcurl env-proxy Digest auth handle reuse) https://curl.se/docs/CVE-2026-8927.html Introduced with: https://github.com/curl/curl/commit/fc6eff13b5414caf6edf22d73a3239e074a04216 (curl-7_12_0) Fixed by: https://github.com/curl/curl/commit/5c225384b8d52c67ce8259c6e4203bc57aacb567 (rc-8_21_0-1, curl-8_21_0)
EPSS Score: 0.00752 (0.507)
Common Weakness Enumeration (CWE)
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in