25-Year-Old cURL Vulnerability Patched in Record 18-CVE Release
A 25-year-old authentication bypass flaw in cURL, present since version 7.7 from 2001, has been patched in curl 8.21.0 alongside a record 18 CVEs, including critical bugs discovered by AI-powered security platforms.
A critical security flaw lurking in curl for over 25 years has been patched, as part of a record-breaking security release that fixed 18 CVEs, the most ever issued in a single curl version. The vulnerability, CVE-2026-8932, was first shipped in curl version 7.7 on March 22, 2001, making it the oldest curl security issue ever reported. The release, announced by maintainer Daniel Stenberg on June 24, 2026, marks the most vulnerabilities fixed in a single curl release.
curl is not just a command-line tool; it is foundational infrastructure. Running on more than 30 billion devices, it powers data transfers across operating systems, containers, CI/CD pipelines, package managers, SDKs, and automotive systems. The vast majority of users never interact with curl directly but instead rely on libcurl, the embedded engine in countless products, making vulnerabilities in this library especially dangerous and difficult to trace.
The wave of discoveries began on May 11, 2026, when curl founder and lead developer Daniel Stenberg announced that Anthropic's Mythos AI model had identified a single CVE in curl. That disclosure triggered an unprecedented flood of security reports targeting the curl project. When the dust settled, 18 CVEs had been issued for the curl 8.21.0 release, a record high for any single curl version.
AISLE, an AI-powered, model-agnostic security platform, claimed 6 of the 18 CVEs, plus additional valid findings across curl and libcurl. The next-closest AI-powered organization received 3 CVEs, while researchers using Anthropic and OpenAI models found 1 each. All six vulnerabilities were responsibly disclosed and patched in the June 24, 2026, release of curl 8.21.0. The flaws include CVE-2026-8926 (.netrc credential confusion), CVE-2026-8925 (SASL double-free), CVE-2026-8932 (mTLS authentication bypass), CVE-2026-9080 (use-after-free in socket callback), CVE-2026-9547 (SSH host validation bypass), and CVE-2026-10536 (HTTP/2 use-after-free).
Beyond CVEs, AISLE also disclosed three additional memory safety issues, including a heap out-of-bounds read in urlapi and use-after-free/double-free bugs in HSTS handling, all reported via HackerOne. Notably, several of these vulnerabilities exclusively affect libcurl, not the curl command-line tool itself. This means they exist deep inside embedded products where end users have no visibility and no direct ability to patch them. Attack surfaces are reachable through application behavior, making these findings especially significant for enterprise and IoT environments.
Beyond security fixes, curl 8.21.0 introduces a limited set of new features, given the heavy focus on vulnerability remediation during this cycle. Key additions include support for named globs in file uploads and enhanced HTTP/3 proxy capabilities using CONNECT and MASQUE CONNECT-UDP. The release also removes deprecated features such as HTTP/2 stream dependency tracking and CURLAUTH_DIGEST_IE support, aligning the project with modern protocol practices. Developers are also warned about upcoming removals, including NTLM, SMB, TLS-SRP, and local crypto implementations. In total, the release includes 276 bug fixes and over 500 commits contributed by more than 100 developers, reflecting the scale of ongoing maintenance and security efforts.
Security teams and developers are strongly advised to upgrade to curl 8.21.0 immediately, especially in environments relying on authentication mechanisms, proxy configurations, or HTTP/2 and HTTP/3 features. The involvement of AI-powered security platforms in discovering these vulnerabilities highlights a growing trend in automated vulnerability research, which is likely to accelerate the pace of finding and fixing long-dormant flaws in critical open-source infrastructure.