Home / Vulnerability Intelligence / CVE-2026-5545

CVE-2026-5545 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: May 13, 2026

libcurl - Authentication Bypass

Published: May 13, 2026Updated: May 13, 2026PoC AvailableRemote Exploitable

Overview

libcurl contains an authentication bypass caused by incorrect connection reuse logic in the connection pool, letting attackers send requests with wrong credentials, exploit requires multiple authenticated requests to the same host.

Severity & Score

Severity: Medium

CVSS Score: 6.5

EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can send requests using another user's authenticated connection, potentially leading to unauthorized access or data leakage.

Mitigation

Update to the latest libcurl version with the connection reuse fix.

References

Social Media Activity(1 post)

daniel:// stenberg://

@bagder

Apr 29, 2026

Out of the eight new #curl CVEs, four of them had existed in code for over twenty years when we published. CVE-2026-5545 clocks in at 22.75 years old CVE-2026-7168 at 21.91 years CVE-2026-6429 at 20.95 years CVE-2026-6253 at 20.66 years And yet CVE-2026-5545 only becomes the 5th oldest vulnerability ever found in curl so far.

View original post

Related Resources

Details

CVE ID: CVE-2026-5545
Severity: Medium
CVSS Score: 6.5
Type: broken_authentication
Status: confirmed
EPSS: 0.0%
Social Posts: 1

CWE

CWE-613

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days