CVE-2026-11856 PUBLISHED

cross-origin Digest auth state leak

Assigner: curl
Reserved: 10.06.2026 Published: 03.07.2026 Updated: 03.07.2026

Successfully using libcurl to do a transfer to a specific HTTP origin (hostA) with Digest authentication and then changing the origin to a different one (hostB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Authorization: header field meant for hostA, to hostB.

Product Status

Vendor curl
Product curl
Versions Default: unaffected
  • affected from 8.20.0 to 8.20.0 (incl.)
  • affected from 8.19.0 to 8.19.0 (incl.)
  • affected from 8.18.0 to 8.18.0 (incl.)
  • affected from 8.17.0 to 8.17.0 (incl.)
  • affected from 8.16.0 to 8.16.0 (incl.)
  • affected from 8.15.0 to 8.15.0 (incl.)
  • affected from 8.14.1 to 8.14.1 (incl.)
  • affected from 8.14.0 to 8.14.0 (incl.)
  • affected from 8.13.0 to 8.13.0 (incl.)
  • affected from 8.12.1 to 8.12.1 (incl.)
  • affected from 8.12.0 to 8.12.0 (incl.)
  • affected from 8.11.1 to 8.11.1 (incl.)
  • affected from 8.11.0 to 8.11.0 (incl.)
  • affected from 8.10.1 to 8.10.1 (incl.)
  • affected from 8.10.0 to 8.10.0 (incl.)
  • affected from 8.9.1 to 8.9.1 (incl.)
  • affected from 8.9.0 to 8.9.0 (incl.)
  • affected from 8.8.0 to 8.8.0 (incl.)
  • affected from 8.7.1 to 8.7.1 (incl.)
  • affected from 8.7.0 to 8.7.0 (incl.)
  • affected from 8.6.0 to 8.6.0 (incl.)
  • affected from 8.5.0 to 8.5.0 (incl.)
  • affected from 8.4.0 to 8.4.0 (incl.)
  • affected from 8.3.0 to 8.3.0 (incl.)
  • affected from 8.2.1 to 8.2.1 (incl.)
  • affected from 8.2.0 to 8.2.0 (incl.)
  • affected from 8.1.2 to 8.1.2 (incl.)
  • affected from 8.1.1 to 8.1.1 (incl.)
  • affected from 8.1.0 to 8.1.0 (incl.)
  • affected from 8.0.1 to 8.0.1 (incl.)
  • affected from 8.0.0 to 8.0.0 (incl.)
  • affected from 7.88.1 to 7.88.1 (incl.)
  • affected from 7.88.0 to 7.88.0 (incl.)
  • affected from 7.87.0 to 7.87.0 (incl.)
  • affected from 7.86.0 to 7.86.0 (incl.)
  • affected from 7.85.0 to 7.85.0 (incl.)
  • affected from 7.84.0 to 7.84.0 (incl.)
  • affected from 7.83.1 to 7.83.1 (incl.)
  • affected from 7.83.0 to 7.83.0 (incl.)
  • affected from 7.82.0 to 7.82.0 (incl.)
  • affected from 7.81.0 to 7.81.0 (incl.)
  • affected from 7.80.0 to 7.80.0 (incl.)
  • affected from 7.79.1 to 7.79.1 (incl.)
  • affected from 7.79.0 to 7.79.0 (incl.)
  • affected from 7.78.0 to 7.78.0 (incl.)
  • affected from 7.77.0 to 7.77.0 (incl.)
  • affected from 7.76.1 to 7.76.1 (incl.)
  • affected from 7.76.0 to 7.76.0 (incl.)
  • affected from 7.75.0 to 7.75.0 (incl.)
  • affected from 7.74.0 to 7.74.0 (incl.)
  • affected from 7.73.0 to 7.73.0 (incl.)
  • affected from 7.72.0 to 7.72.0 (incl.)
  • affected from 7.71.1 to 7.71.1 (incl.)
  • affected from 7.71.0 to 7.71.0 (incl.)
  • affected from 7.70.0 to 7.70.0 (incl.)
  • affected from 7.69.1 to 7.69.1 (incl.)
  • affected from 7.69.0 to 7.69.0 (incl.)
  • affected from 7.68.0 to 7.68.0 (incl.)
  • affected from 7.67.0 to 7.67.0 (incl.)
  • affected from 7.66.0 to 7.66.0 (incl.)
  • affected from 7.65.3 to 7.65.3 (incl.)
  • affected from 7.65.2 to 7.65.2 (incl.)
  • affected from 7.65.1 to 7.65.1 (incl.)
  • affected from 7.65.0 to 7.65.0 (incl.)
  • affected from 7.64.1 to 7.64.1 (incl.)
  • affected from 7.64.0 to 7.64.0 (incl.)
  • affected from 7.63.0 to 7.63.0 (incl.)
  • affected from 7.62.0 to 7.62.0 (incl.)
  • affected from 7.61.1 to 7.61.1 (incl.)
  • affected from 7.61.0 to 7.61.0 (incl.)
  • affected from 7.60.0 to 7.60.0 (incl.)
  • affected from 7.59.0 to 7.59.0 (incl.)
  • affected from 7.58.0 to 7.58.0 (incl.)
  • affected from 7.57.0 to 7.57.0 (incl.)
  • affected from 7.56.1 to 7.56.1 (incl.)
  • affected from 7.56.0 to 7.56.0 (incl.)
  • affected from 7.55.1 to 7.55.1 (incl.)
  • affected from 7.55.0 to 7.55.0 (incl.)
  • affected from 7.54.1 to 7.54.1 (incl.)
  • affected from 7.54.0 to 7.54.0 (incl.)
  • affected from 7.53.1 to 7.53.1 (incl.)
  • affected from 7.53.0 to 7.53.0 (incl.)
  • affected from 7.52.1 to 7.52.1 (incl.)
  • affected from 7.52.0 to 7.52.0 (incl.)
  • affected from 7.51.0 to 7.51.0 (incl.)
  • affected from 7.50.3 to 7.50.3 (incl.)
  • affected from 7.50.2 to 7.50.2 (incl.)
  • affected from 7.50.1 to 7.50.1 (incl.)
  • affected from 7.50.0 to 7.50.0 (incl.)
  • affected from 7.49.1 to 7.49.1 (incl.)
  • affected from 7.49.0 to 7.49.0 (incl.)
  • affected from 7.48.0 to 7.48.0 (incl.)
  • affected from 7.47.1 to 7.47.1 (incl.)
  • affected from 7.47.0 to 7.47.0 (incl.)
  • affected from 7.46.0 to 7.46.0 (incl.)
  • affected from 7.45.0 to 7.45.0 (incl.)
  • affected from 7.44.0 to 7.44.0 (incl.)
  • affected from 7.43.0 to 7.43.0 (incl.)
  • affected from 7.42.1 to 7.42.1 (incl.)
  • affected from 7.42.0 to 7.42.0 (incl.)
  • affected from 7.41.0 to 7.41.0 (incl.)
  • affected from 7.40.0 to 7.40.0 (incl.)
  • affected from 7.39.0 to 7.39.0 (incl.)
  • affected from 7.38.0 to 7.38.0 (incl.)
  • affected from 7.37.1 to 7.37.1 (incl.)
  • affected from 7.37.0 to 7.37.0 (incl.)
  • affected from 7.36.0 to 7.36.0 (incl.)
  • affected from 7.35.0 to 7.35.0 (incl.)
  • affected from 7.34.0 to 7.34.0 (incl.)
  • affected from 7.33.0 to 7.33.0 (incl.)
  • affected from 7.32.0 to 7.32.0 (incl.)
  • affected from 7.31.0 to 7.31.0 (incl.)
  • affected from 7.30.0 to 7.30.0 (incl.)
  • affected from 7.29.0 to 7.29.0 (incl.)
  • affected from 7.28.1 to 7.28.1 (incl.)
  • affected from 7.28.0 to 7.28.0 (incl.)
  • affected from 7.27.0 to 7.27.0 (incl.)
  • affected from 7.26.0 to 7.26.0 (incl.)
  • affected from 7.25.0 to 7.25.0 (incl.)
  • affected from 7.24.0 to 7.24.0 (incl.)
  • affected from 7.23.1 to 7.23.1 (incl.)
  • affected from 7.23.0 to 7.23.0 (incl.)
  • affected from 7.22.0 to 7.22.0 (incl.)
  • affected from 7.21.7 to 7.21.7 (incl.)
  • affected from 7.21.6 to 7.21.6 (incl.)
  • affected from 7.21.5 to 7.21.5 (incl.)
  • affected from 7.21.4 to 7.21.4 (incl.)
  • affected from 7.21.3 to 7.21.3 (incl.)
  • affected from 7.21.2 to 7.21.2 (incl.)
  • affected from 7.21.1 to 7.21.1 (incl.)
  • affected from 7.21.0 to 7.21.0 (incl.)
  • affected from 7.20.1 to 7.20.1 (incl.)
  • affected from 7.20.0 to 7.20.0 (incl.)
  • affected from 7.19.7 to 7.19.7 (incl.)
  • affected from 7.19.6 to 7.19.6 (incl.)
  • affected from 7.19.5 to 7.19.5 (incl.)
  • affected from 7.19.4 to 7.19.4 (incl.)
  • affected from 7.19.3 to 7.19.3 (incl.)
  • affected from 7.19.2 to 7.19.2 (incl.)
  • affected from 7.19.1 to 7.19.1 (incl.)
  • affected from 7.19.0 to 7.19.0 (incl.)
  • affected from 7.18.2 to 7.18.2 (incl.)
  • affected from 7.18.1 to 7.18.1 (incl.)
  • affected from 7.18.0 to 7.18.0 (incl.)
  • affected from 7.17.1 to 7.17.1 (incl.)
  • affected from 7.17.0 to 7.17.0 (incl.)
  • affected from 7.16.4 to 7.16.4 (incl.)
  • affected from 7.16.3 to 7.16.3 (incl.)
  • affected from 7.16.2 to 7.16.2 (incl.)
  • affected from 7.16.1 to 7.16.1 (incl.)
  • affected from 7.16.0 to 7.16.0 (incl.)
  • affected from 7.15.5 to 7.15.5 (incl.)
  • affected from 7.15.4 to 7.15.4 (incl.)
  • affected from 7.15.3 to 7.15.3 (incl.)
  • affected from 7.15.2 to 7.15.2 (incl.)
  • affected from 7.15.1 to 7.15.1 (incl.)
  • affected from 7.15.0 to 7.15.0 (incl.)
  • affected from 7.14.1 to 7.14.1 (incl.)
  • affected from 7.14.0 to 7.14.0 (incl.)
  • affected from 7.13.2 to 7.13.2 (incl.)
  • affected from 7.13.1 to 7.13.1 (incl.)
  • affected from 7.13.0 to 7.13.0 (incl.)
  • affected from 7.12.3 to 7.12.3 (incl.)
  • affected from 7.12.2 to 7.12.2 (incl.)
  • affected from 7.12.1 to 7.12.1 (incl.)
  • affected from 7.12.0 to 7.12.0 (incl.)
  • affected from 7.11.2 to 7.11.2 (incl.)
  • affected from 7.11.1 to 7.11.1 (incl.)
  • affected from 7.11.0 to 7.11.0 (incl.)
  • affected from 7.10.8 to 7.10.8 (incl.)
  • affected from 7.10.7 to 7.10.7 (incl.)
  • affected from 7.10.6 to 7.10.6 (incl.)

Credits

  • jjchuck on hackerone finder
  • Daniel Stenberg remediation developer

References

Problem Types

  • CWE-294 Authentication Bypass by Capture-replay