Medium severity5.9NVD Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-6253

Description

curl might erroneously pass on credentials for a first proxy to a second proxy.

This can happen when the following conditions are true:

1. curl is setup to use specific different proxies for different URL schemes 2. the first proxy needs credentials 3. the second proxy uses no credentials 4. while using the first proxy (using say http://), curl is asked to follow a redirect to a URL using another scheme (say https://), accessed using a second, different, proxy

Affected products

Curl/Curlinferred
Haxx/Curl
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Range: >=7.14.1,<8.20.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/29/11nvdMailing ListPatchThird Party Advisory
curl.se/docs/CVE-2026-6253.htmlnvdPatchVendor Advisory
hackerone.com/reports/3669637nvdExploitIssue TrackingThird Party Advisory
curl.se/docs/CVE-2026-6253.jsonnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.384
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000