CVE-2026-8286 PUBLISHED

wrong STARTTLS connection reuse

Assigner: curl
Reserved: 11.05.2026 Published: 03.07.2026 Updated: 03.07.2026

A vulnerability exists where a new transfer that uses STARTTLS to upgrade the connection might reuse an existing live connection even though the TLS configuration mismatches so it should not.

Product Status

Vendor curl
Product curl
Versions Default: unaffected
  • affected from 8.20.0 to 8.20.0 (incl.)
  • affected from 8.19.0 to 8.19.0 (incl.)
  • affected from 8.18.0 to 8.18.0 (incl.)
  • affected from 8.17.0 to 8.17.0 (incl.)
  • affected from 8.16.0 to 8.16.0 (incl.)
  • affected from 8.15.0 to 8.15.0 (incl.)
  • affected from 8.14.1 to 8.14.1 (incl.)
  • affected from 8.14.0 to 8.14.0 (incl.)
  • affected from 8.13.0 to 8.13.0 (incl.)
  • affected from 8.12.1 to 8.12.1 (incl.)
  • affected from 8.12.0 to 8.12.0 (incl.)
  • affected from 8.11.1 to 8.11.1 (incl.)
  • affected from 8.11.0 to 8.11.0 (incl.)
  • affected from 8.10.1 to 8.10.1 (incl.)
  • affected from 8.10.0 to 8.10.0 (incl.)
  • affected from 8.9.1 to 8.9.1 (incl.)
  • affected from 8.9.0 to 8.9.0 (incl.)
  • affected from 8.8.0 to 8.8.0 (incl.)
  • affected from 8.7.1 to 8.7.1 (incl.)
  • affected from 8.7.0 to 8.7.0 (incl.)
  • affected from 8.6.0 to 8.6.0 (incl.)
  • affected from 8.5.0 to 8.5.0 (incl.)
  • affected from 8.4.0 to 8.4.0 (incl.)
  • affected from 8.3.0 to 8.3.0 (incl.)
  • affected from 8.2.1 to 8.2.1 (incl.)
  • affected from 8.2.0 to 8.2.0 (incl.)
  • affected from 8.1.2 to 8.1.2 (incl.)
  • affected from 8.1.1 to 8.1.1 (incl.)
  • affected from 8.1.0 to 8.1.0 (incl.)
  • affected from 8.0.1 to 8.0.1 (incl.)
  • affected from 8.0.0 to 8.0.0 (incl.)
  • affected from 7.88.1 to 7.88.1 (incl.)
  • affected from 7.88.0 to 7.88.0 (incl.)
  • affected from 7.87.0 to 7.87.0 (incl.)
  • affected from 7.86.0 to 7.86.0 (incl.)
  • affected from 7.85.0 to 7.85.0 (incl.)
  • affected from 7.84.0 to 7.84.0 (incl.)
  • affected from 7.83.1 to 7.83.1 (incl.)
  • affected from 7.83.0 to 7.83.0 (incl.)
  • affected from 7.82.0 to 7.82.0 (incl.)
  • affected from 7.81.0 to 7.81.0 (incl.)
  • affected from 7.80.0 to 7.80.0 (incl.)
  • affected from 7.79.1 to 7.79.1 (incl.)
  • affected from 7.79.0 to 7.79.0 (incl.)
  • affected from 7.78.0 to 7.78.0 (incl.)
  • affected from 7.77.0 to 7.77.0 (incl.)
  • affected from 7.76.1 to 7.76.1 (incl.)
  • affected from 7.76.0 to 7.76.0 (incl.)
  • affected from 7.75.0 to 7.75.0 (incl.)
  • affected from 7.74.0 to 7.74.0 (incl.)
  • affected from 7.73.0 to 7.73.0 (incl.)
  • affected from 7.72.0 to 7.72.0 (incl.)
  • affected from 7.71.1 to 7.71.1 (incl.)
  • affected from 7.71.0 to 7.71.0 (incl.)
  • affected from 7.70.0 to 7.70.0 (incl.)
  • affected from 7.69.1 to 7.69.1 (incl.)
  • affected from 7.69.0 to 7.69.0 (incl.)
  • affected from 7.68.0 to 7.68.0 (incl.)
  • affected from 7.67.0 to 7.67.0 (incl.)
  • affected from 7.66.0 to 7.66.0 (incl.)
  • affected from 7.65.3 to 7.65.3 (incl.)
  • affected from 7.65.2 to 7.65.2 (incl.)
  • affected from 7.65.1 to 7.65.1 (incl.)
  • affected from 7.65.0 to 7.65.0 (incl.)
  • affected from 7.64.1 to 7.64.1 (incl.)
  • affected from 7.64.0 to 7.64.0 (incl.)
  • affected from 7.63.0 to 7.63.0 (incl.)
  • affected from 7.62.0 to 7.62.0 (incl.)
  • affected from 7.61.1 to 7.61.1 (incl.)
  • affected from 7.61.0 to 7.61.0 (incl.)
  • affected from 7.60.0 to 7.60.0 (incl.)
  • affected from 7.59.0 to 7.59.0 (incl.)
  • affected from 7.58.0 to 7.58.0 (incl.)
  • affected from 7.57.0 to 7.57.0 (incl.)
  • affected from 7.56.1 to 7.56.1 (incl.)
  • affected from 7.56.0 to 7.56.0 (incl.)
  • affected from 7.55.1 to 7.55.1 (incl.)
  • affected from 7.55.0 to 7.55.0 (incl.)
  • affected from 7.54.1 to 7.54.1 (incl.)
  • affected from 7.54.0 to 7.54.0 (incl.)
  • affected from 7.53.1 to 7.53.1 (incl.)
  • affected from 7.53.0 to 7.53.0 (incl.)
  • affected from 7.52.1 to 7.52.1 (incl.)
  • affected from 7.52.0 to 7.52.0 (incl.)
  • affected from 7.51.0 to 7.51.0 (incl.)
  • affected from 7.50.3 to 7.50.3 (incl.)
  • affected from 7.50.2 to 7.50.2 (incl.)
  • affected from 7.50.1 to 7.50.1 (incl.)
  • affected from 7.50.0 to 7.50.0 (incl.)
  • affected from 7.49.1 to 7.49.1 (incl.)
  • affected from 7.49.0 to 7.49.0 (incl.)
  • affected from 7.48.0 to 7.48.0 (incl.)
  • affected from 7.47.1 to 7.47.1 (incl.)
  • affected from 7.47.0 to 7.47.0 (incl.)
  • affected from 7.46.0 to 7.46.0 (incl.)
  • affected from 7.45.0 to 7.45.0 (incl.)
  • affected from 7.44.0 to 7.44.0 (incl.)
  • affected from 7.43.0 to 7.43.0 (incl.)
  • affected from 7.42.1 to 7.42.1 (incl.)
  • affected from 7.42.0 to 7.42.0 (incl.)
  • affected from 7.41.0 to 7.41.0 (incl.)
  • affected from 7.40.0 to 7.40.0 (incl.)
  • affected from 7.39.0 to 7.39.0 (incl.)
  • affected from 7.38.0 to 7.38.0 (incl.)
  • affected from 7.37.1 to 7.37.1 (incl.)
  • affected from 7.37.0 to 7.37.0 (incl.)
  • affected from 7.36.0 to 7.36.0 (incl.)
  • affected from 7.35.0 to 7.35.0 (incl.)
  • affected from 7.34.0 to 7.34.0 (incl.)
  • affected from 7.33.0 to 7.33.0 (incl.)
  • affected from 7.32.0 to 7.32.0 (incl.)
  • affected from 7.31.0 to 7.31.0 (incl.)
  • affected from 7.30.0 to 7.30.0 (incl.)

Credits

  • Andrew Nesbitt (powered by Mythos) finder
  • Stefan Eissing remediation developer

References

Problem Types

  • CWE-295 Improper Certificate Validation