Home / Vulnerability Intelligence / CVE-2026-3784

CVE-2026-3784 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: March 12, 2026

curl - Authentication Bypass

Published: March 11, 2026Updated: March 12, 2026PoC AvailableRemote Exploitable

Overview

curl contains a broken authentication caused by reusing existing HTTP proxy connections with different credentials during CONNECT requests, letting attackers bypass proxy authentication, exploit requires use of HTTP proxy with different credentials.

Severity & Score

Severity: Medium

CVSS Score: 6.5

EPSS Score: 2.6%(Probability of exploitation in next 30 days)

Impact

Attackers can bypass HTTP proxy authentication by reusing connections, potentially accessing unauthorized resources.

Mitigation

Update to the latest version of curl.

References

Social Media Activity(1 post)

daniel:// stenberg://

@bagder

Mar 12, 2026

CVE-2026-3784 beat a new #curl record. This flaw existed in curl source code for 24.97 years before it was discovered. Illustrated in the slightly hard-to-read graph below. The average age of a curl vulnerability when reported is eight years. https://curl.se/docs/CVE-2026-3784.html

View original post

Related Resources

Details

CVE ID: CVE-2026-3784
Severity: Medium
CVSS Score: 6.5
Type: broken_authentication
Status: confirmed
EPSS: 2.6%
Social Posts: 1

CWE

CWE-305

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Score

2.6%Probability of exploitation in the next 30 days