CVE-2026-7168 - Vulnerability Analysis

Overview

libcurl contains a broken access control vulnerability caused by reuse of a handle with Digest authentication headers from one HTTP proxy being sent to another proxy, letting attackers cause unauthorized proxy authentication leakage, exploit requires reuse of the same handle with different proxies.

Severity & Score

Impact

Attackers can cause leakage of proxy authentication headers to unintended proxies, potentially exposing credentials.

Mitigation

Update to the latest libcurl version that fixes proxy authentication header reuse.

References

• https://curl.se/docs/CVE-2026-7168.html
• https://curl.se/docs/CVE-2026-7168.json
• https://hackerone.com/reports/3697719
• http://www.openwall.com/lists/oss-security/2026/04/29/14

Social Media Activity(1 post)

daniel:// stenberg://

@bagder

Apr 29, 2026

Out of the eight new #curl CVEs, four of them had existed in code for over twenty years when we published. CVE-2026-5545 clocks in at 22.75 years old CVE-2026-7168 at 21.91 years CVE-2026-6429 at 20.95 years CVE-2026-6253 at 20.66 years And yet CVE-2026-5545 only becomes the 5th oldest vulnerability ever found in curl so far.

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner