CVE-2026-8932 PUBLISHED

incomplete mTLS config matching in conn reuse

Assigner: curl
Reserved: 19.05.2026 Published: 03.07.2026 Updated: 03.07.2026

libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse.

libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key.

Product Status

Vendor curl
Product curl
Versions Default: unaffected
  • affected from 8.20.0 to 8.20.0 (incl.)
  • affected from 8.19.0 to 8.19.0 (incl.)
  • affected from 8.18.0 to 8.18.0 (incl.)
  • affected from 8.17.0 to 8.17.0 (incl.)
  • affected from 8.16.0 to 8.16.0 (incl.)
  • affected from 8.15.0 to 8.15.0 (incl.)
  • affected from 8.14.1 to 8.14.1 (incl.)
  • affected from 8.14.0 to 8.14.0 (incl.)
  • affected from 8.13.0 to 8.13.0 (incl.)
  • affected from 8.12.1 to 8.12.1 (incl.)
  • affected from 8.12.0 to 8.12.0 (incl.)
  • affected from 8.11.1 to 8.11.1 (incl.)
  • affected from 8.11.0 to 8.11.0 (incl.)
  • affected from 8.10.1 to 8.10.1 (incl.)
  • affected from 8.10.0 to 8.10.0 (incl.)
  • affected from 8.9.1 to 8.9.1 (incl.)
  • affected from 8.9.0 to 8.9.0 (incl.)
  • affected from 8.8.0 to 8.8.0 (incl.)
  • affected from 8.7.1 to 8.7.1 (incl.)
  • affected from 8.7.0 to 8.7.0 (incl.)
  • affected from 8.6.0 to 8.6.0 (incl.)
  • affected from 8.5.0 to 8.5.0 (incl.)
  • affected from 8.4.0 to 8.4.0 (incl.)
  • affected from 8.3.0 to 8.3.0 (incl.)
  • affected from 8.2.1 to 8.2.1 (incl.)
  • affected from 8.2.0 to 8.2.0 (incl.)
  • affected from 8.1.2 to 8.1.2 (incl.)
  • affected from 8.1.1 to 8.1.1 (incl.)
  • affected from 8.1.0 to 8.1.0 (incl.)
  • affected from 8.0.1 to 8.0.1 (incl.)
  • affected from 8.0.0 to 8.0.0 (incl.)
  • affected from 7.88.1 to 7.88.1 (incl.)
  • affected from 7.88.0 to 7.88.0 (incl.)
  • affected from 7.87.0 to 7.87.0 (incl.)
  • affected from 7.86.0 to 7.86.0 (incl.)
  • affected from 7.85.0 to 7.85.0 (incl.)
  • affected from 7.84.0 to 7.84.0 (incl.)
  • affected from 7.83.1 to 7.83.1 (incl.)
  • affected from 7.83.0 to 7.83.0 (incl.)
  • affected from 7.82.0 to 7.82.0 (incl.)
  • affected from 7.81.0 to 7.81.0 (incl.)
  • affected from 7.80.0 to 7.80.0 (incl.)
  • affected from 7.79.1 to 7.79.1 (incl.)
  • affected from 7.79.0 to 7.79.0 (incl.)
  • affected from 7.78.0 to 7.78.0 (incl.)
  • affected from 7.77.0 to 7.77.0 (incl.)
  • affected from 7.76.1 to 7.76.1 (incl.)
  • affected from 7.76.0 to 7.76.0 (incl.)
  • affected from 7.75.0 to 7.75.0 (incl.)
  • affected from 7.74.0 to 7.74.0 (incl.)
  • affected from 7.73.0 to 7.73.0 (incl.)
  • affected from 7.72.0 to 7.72.0 (incl.)
  • affected from 7.71.1 to 7.71.1 (incl.)
  • affected from 7.71.0 to 7.71.0 (incl.)
  • affected from 7.70.0 to 7.70.0 (incl.)
  • affected from 7.69.1 to 7.69.1 (incl.)
  • affected from 7.69.0 to 7.69.0 (incl.)
  • affected from 7.68.0 to 7.68.0 (incl.)
  • affected from 7.67.0 to 7.67.0 (incl.)
  • affected from 7.66.0 to 7.66.0 (incl.)
  • affected from 7.65.3 to 7.65.3 (incl.)
  • affected from 7.65.2 to 7.65.2 (incl.)
  • affected from 7.65.1 to 7.65.1 (incl.)
  • affected from 7.65.0 to 7.65.0 (incl.)
  • affected from 7.64.1 to 7.64.1 (incl.)
  • affected from 7.64.0 to 7.64.0 (incl.)
  • affected from 7.63.0 to 7.63.0 (incl.)
  • affected from 7.62.0 to 7.62.0 (incl.)
  • affected from 7.61.1 to 7.61.1 (incl.)
  • affected from 7.61.0 to 7.61.0 (incl.)
  • affected from 7.60.0 to 7.60.0 (incl.)
  • affected from 7.59.0 to 7.59.0 (incl.)
  • affected from 7.58.0 to 7.58.0 (incl.)
  • affected from 7.57.0 to 7.57.0 (incl.)
  • affected from 7.56.1 to 7.56.1 (incl.)
  • affected from 7.56.0 to 7.56.0 (incl.)
  • affected from 7.55.1 to 7.55.1 (incl.)
  • affected from 7.55.0 to 7.55.0 (incl.)
  • affected from 7.54.1 to 7.54.1 (incl.)
  • affected from 7.54.0 to 7.54.0 (incl.)
  • affected from 7.53.1 to 7.53.1 (incl.)
  • affected from 7.53.0 to 7.53.0 (incl.)
  • affected from 7.52.1 to 7.52.1 (incl.)
  • affected from 7.52.0 to 7.52.0 (incl.)
  • affected from 7.51.0 to 7.51.0 (incl.)
  • affected from 7.50.3 to 7.50.3 (incl.)
  • affected from 7.50.2 to 7.50.2 (incl.)
  • affected from 7.50.1 to 7.50.1 (incl.)
  • affected from 7.50.0 to 7.50.0 (incl.)
  • affected from 7.49.1 to 7.49.1 (incl.)
  • affected from 7.49.0 to 7.49.0 (incl.)
  • affected from 7.48.0 to 7.48.0 (incl.)
  • affected from 7.47.1 to 7.47.1 (incl.)
  • affected from 7.47.0 to 7.47.0 (incl.)
  • affected from 7.46.0 to 7.46.0 (incl.)
  • affected from 7.45.0 to 7.45.0 (incl.)
  • affected from 7.44.0 to 7.44.0 (incl.)
  • affected from 7.43.0 to 7.43.0 (incl.)
  • affected from 7.42.1 to 7.42.1 (incl.)
  • affected from 7.42.0 to 7.42.0 (incl.)
  • affected from 7.41.0 to 7.41.0 (incl.)
  • affected from 7.40.0 to 7.40.0 (incl.)
  • affected from 7.39.0 to 7.39.0 (incl.)
  • affected from 7.38.0 to 7.38.0 (incl.)
  • affected from 7.37.1 to 7.37.1 (incl.)
  • affected from 7.37.0 to 7.37.0 (incl.)
  • affected from 7.36.0 to 7.36.0 (incl.)
  • affected from 7.35.0 to 7.35.0 (incl.)
  • affected from 7.34.0 to 7.34.0 (incl.)
  • affected from 7.33.0 to 7.33.0 (incl.)
  • affected from 7.32.0 to 7.32.0 (incl.)
  • affected from 7.31.0 to 7.31.0 (incl.)
  • affected from 7.30.0 to 7.30.0 (incl.)
  • affected from 7.29.0 to 7.29.0 (incl.)
  • affected from 7.28.1 to 7.28.1 (incl.)
  • affected from 7.28.0 to 7.28.0 (incl.)
  • affected from 7.27.0 to 7.27.0 (incl.)
  • affected from 7.26.0 to 7.26.0 (incl.)
  • affected from 7.25.0 to 7.25.0 (incl.)
  • affected from 7.24.0 to 7.24.0 (incl.)
  • affected from 7.23.1 to 7.23.1 (incl.)
  • affected from 7.23.0 to 7.23.0 (incl.)
  • affected from 7.22.0 to 7.22.0 (incl.)
  • affected from 7.21.7 to 7.21.7 (incl.)
  • affected from 7.21.6 to 7.21.6 (incl.)
  • affected from 7.21.5 to 7.21.5 (incl.)
  • affected from 7.21.4 to 7.21.4 (incl.)
  • affected from 7.21.3 to 7.21.3 (incl.)
  • affected from 7.21.2 to 7.21.2 (incl.)
  • affected from 7.21.1 to 7.21.1 (incl.)
  • affected from 7.21.0 to 7.21.0 (incl.)
  • affected from 7.20.1 to 7.20.1 (incl.)
  • affected from 7.20.0 to 7.20.0 (incl.)
  • affected from 7.19.7 to 7.19.7 (incl.)
  • affected from 7.19.6 to 7.19.6 (incl.)
  • affected from 7.19.5 to 7.19.5 (incl.)
  • affected from 7.19.4 to 7.19.4 (incl.)
  • affected from 7.19.3 to 7.19.3 (incl.)
  • affected from 7.19.2 to 7.19.2 (incl.)
  • affected from 7.19.1 to 7.19.1 (incl.)
  • affected from 7.19.0 to 7.19.0 (incl.)
  • affected from 7.18.2 to 7.18.2 (incl.)
  • affected from 7.18.1 to 7.18.1 (incl.)
  • affected from 7.18.0 to 7.18.0 (incl.)
  • affected from 7.17.1 to 7.17.1 (incl.)
  • affected from 7.17.0 to 7.17.0 (incl.)
  • affected from 7.16.4 to 7.16.4 (incl.)
  • affected from 7.16.3 to 7.16.3 (incl.)
  • affected from 7.16.2 to 7.16.2 (incl.)
  • affected from 7.16.1 to 7.16.1 (incl.)
  • affected from 7.16.0 to 7.16.0 (incl.)
  • affected from 7.15.5 to 7.15.5 (incl.)
  • affected from 7.15.4 to 7.15.4 (incl.)
  • affected from 7.15.3 to 7.15.3 (incl.)
  • affected from 7.15.2 to 7.15.2 (incl.)
  • affected from 7.15.1 to 7.15.1 (incl.)
  • affected from 7.15.0 to 7.15.0 (incl.)
  • affected from 7.14.1 to 7.14.1 (incl.)
  • affected from 7.14.0 to 7.14.0 (incl.)
  • affected from 7.13.2 to 7.13.2 (incl.)
  • affected from 7.13.1 to 7.13.1 (incl.)
  • affected from 7.13.0 to 7.13.0 (incl.)
  • affected from 7.12.3 to 7.12.3 (incl.)
  • affected from 7.12.2 to 7.12.2 (incl.)
  • affected from 7.12.1 to 7.12.1 (incl.)
  • affected from 7.12.0 to 7.12.0 (incl.)
  • affected from 7.11.2 to 7.11.2 (incl.)
  • affected from 7.11.1 to 7.11.1 (incl.)
  • affected from 7.11.0 to 7.11.0 (incl.)
  • affected from 7.10.8 to 7.10.8 (incl.)
  • affected from 7.10.7 to 7.10.7 (incl.)
  • affected from 7.10.6 to 7.10.6 (incl.)
  • affected from 7.10.5 to 7.10.5 (incl.)
  • affected from 7.10.4 to 7.10.4 (incl.)
  • affected from 7.10.3 to 7.10.3 (incl.)
  • affected from 7.10.2 to 7.10.2 (incl.)
  • affected from 7.10.1 to 7.10.1 (incl.)
  • affected from 7.10 to 7.10 (incl.)
  • affected from 7.9.8 to 7.9.8 (incl.)
  • affected from 7.9.7 to 7.9.7 (incl.)
  • affected from 7.9.6 to 7.9.6 (incl.)
  • affected from 7.9.5 to 7.9.5 (incl.)
  • affected from 7.9.4 to 7.9.4 (incl.)
  • affected from 7.9.3 to 7.9.3 (incl.)
  • affected from 7.9.2 to 7.9.2 (incl.)
  • affected from 7.9.1 to 7.9.1 (incl.)
  • affected from 7.9 to 7.9 (incl.)
  • affected from 7.8.1 to 7.8.1 (incl.)
  • affected from 7.8 to 7.8 (incl.)
  • affected from 7.7.3 to 7.7.3 (incl.)
  • affected from 7.7.2 to 7.7.2 (incl.)
  • affected from 7.7.1 to 7.7.1 (incl.)
  • affected from 7.7 to 7.7 (incl.)

Credits

  • Joshua Rogers (Aisle Research) finder
  • Joshua Rogers (Aisle Research) remediation developer

References

Problem Types

  • CWE-305 Authentication Bypass by Primary Weakness