CVE-2026-9547 PUBLISHED

SSH improper host validation

Assigner: curl
Reserved: 26.05.2026 Published: 03.07.2026 Updated: 03.07.2026

When a libcurl-based application performs transfers via SCP:// or SFTP:// and utilizes the CURLOPT_SSH_KEYFUNCTION callback, it may silently accept an untrusted server. This vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the known_hosts file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack.

Product Status

Vendor curl
Product curl
Versions Default: unaffected
  • affected from 8.20.0 to 8.20.0 (incl.)
  • affected from 8.19.0 to 8.19.0 (incl.)
  • affected from 8.18.0 to 8.18.0 (incl.)
  • affected from 8.17.0 to 8.17.0 (incl.)
  • affected from 8.16.0 to 8.16.0 (incl.)
  • affected from 8.15.0 to 8.15.0 (incl.)
  • affected from 8.14.1 to 8.14.1 (incl.)
  • affected from 8.14.0 to 8.14.0 (incl.)
  • affected from 8.13.0 to 8.13.0 (incl.)
  • affected from 8.12.1 to 8.12.1 (incl.)
  • affected from 8.12.0 to 8.12.0 (incl.)
  • affected from 8.11.1 to 8.11.1 (incl.)
  • affected from 8.11.0 to 8.11.0 (incl.)
  • affected from 8.10.1 to 8.10.1 (incl.)
  • affected from 8.10.0 to 8.10.0 (incl.)
  • affected from 8.9.1 to 8.9.1 (incl.)
  • affected from 8.9.0 to 8.9.0 (incl.)
  • affected from 8.8.0 to 8.8.0 (incl.)
  • affected from 8.7.1 to 8.7.1 (incl.)
  • affected from 8.7.0 to 8.7.0 (incl.)
  • affected from 8.6.0 to 8.6.0 (incl.)
  • affected from 8.5.0 to 8.5.0 (incl.)
  • affected from 8.4.0 to 8.4.0 (incl.)
  • affected from 8.3.0 to 8.3.0 (incl.)
  • affected from 8.2.1 to 8.2.1 (incl.)
  • affected from 8.2.0 to 8.2.0 (incl.)
  • affected from 8.1.2 to 8.1.2 (incl.)
  • affected from 8.1.1 to 8.1.1 (incl.)
  • affected from 8.1.0 to 8.1.0 (incl.)
  • affected from 8.0.1 to 8.0.1 (incl.)
  • affected from 8.0.0 to 8.0.0 (incl.)
  • affected from 7.88.1 to 7.88.1 (incl.)
  • affected from 7.88.0 to 7.88.0 (incl.)
  • affected from 7.87.0 to 7.87.0 (incl.)
  • affected from 7.86.0 to 7.86.0 (incl.)
  • affected from 7.85.0 to 7.85.0 (incl.)
  • affected from 7.84.0 to 7.84.0 (incl.)
  • affected from 7.83.1 to 7.83.1 (incl.)
  • affected from 7.83.0 to 7.83.0 (incl.)
  • affected from 7.82.0 to 7.82.0 (incl.)
  • affected from 7.81.0 to 7.81.0 (incl.)
  • affected from 7.80.0 to 7.80.0 (incl.)
  • affected from 7.79.1 to 7.79.1 (incl.)
  • affected from 7.79.0 to 7.79.0 (incl.)
  • affected from 7.78.0 to 7.78.0 (incl.)
  • affected from 7.77.0 to 7.77.0 (incl.)
  • affected from 7.76.1 to 7.76.1 (incl.)
  • affected from 7.76.0 to 7.76.0 (incl.)
  • affected from 7.75.0 to 7.75.0 (incl.)
  • affected from 7.74.0 to 7.74.0 (incl.)
  • affected from 7.73.0 to 7.73.0 (incl.)
  • affected from 7.72.0 to 7.72.0 (incl.)
  • affected from 7.71.1 to 7.71.1 (incl.)
  • affected from 7.71.0 to 7.71.0 (incl.)
  • affected from 7.70.0 to 7.70.0 (incl.)
  • affected from 7.69.1 to 7.69.1 (incl.)
  • affected from 7.69.0 to 7.69.0 (incl.)

Credits

  • Joshua Rogers (Aisle Research) finder
  • Joshua Rogers (Aisle Research) remediation developer

References

Problem Types

  • CWE-297 Improper Validation of Certificate with Host Mismatch