Medium severity5.3NVD Advisory· Published May 13, 2026· Updated May 14, 2026

CVE-2026-7168

Description

Successfully using libcurl to do a transfer over a specific HTTP proxy (proxyA) with Digest authentication and then changing the proxy host to a second one (proxyB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to proxyB.

Affected products

Haxx/Curl
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*
Range: >=7.12.0,<8.20.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/29/14nvdMailing ListPatch
curl.se/docs/CVE-2026-7168.htmlnvdPatchVendor Advisory
hackerone.com/reports/3697719nvdExploitIssue Tracking
curl.se/docs/CVE-2026-7168.jsonnvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000