Medium severity5.3NVD Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-7009

Description

When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.

Affected products

Haxx/Curl
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Range: >=8.17.0,<8.20.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/29/12nvdMailing ListPatchThird Party Advisory
curl.se/docs/CVE-2026-7009.htmlnvdPatchVendor Advisory
hackerone.com/reports/3694390nvdExploitIssue TrackingPatch
curl.se/docs/CVE-2026-7009.jsonnvdProduct

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000