Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-29T00:00:00 curl: curl: Information disclosure due to incorrect TLS connection reuse 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CWE-319

A flaw was found in curl. A remote attacker could exploit this by initiating an unencrypted connection (via IMAP, SMTP, or POP3) and then making a subsequent request to the same host that requires Transport Layer Security (TLS). Due to incorrect connection reuse, the subsequent request would bypass the TLS requirement, leading to the transmission of sensitive information in cleartext. This vulnerability, categorized as Cleartext Transmission of Sensitive Information (CWE-319), results in information disclosure.

Moderate: This flaw in curl allows for information disclosure when an unencrypted connection is incorrectly reused for a subsequent request that expects TLS. This can lead to the cleartext transmission of sensitive data, potentially affecting Red Hat products that utilize curl for IMAP, SMTP, or POP3 connections where connection reuse is enabled. To mitigate this issue, avoid using clear-text IMAP, POP3, or SMTP transfers with curl. Ensure that all connections for these protocols are initiated with TLS from the outset to prevent the reuse of unencrypted connections. Red Hat Hardened Images 2026-05-02T00:00:00Z RHSA-2026:12916 curl-main-8.20.0-0.1.hum1 Confidential Compute Attestation Fix deferred build-of-trustee/trustee-rhel9 Confidential Compute Attestation Fix deferred confidential-compute-attestation-tech-preview/trustee-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-operator-bundle Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-podvm-builder-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-podvm-payload-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-rhel9-operator Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/cluster-logging-operator-bundle Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/cluster-logging-rhel9-operator Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/eventrouter-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/fluentd-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/log-file-metric-exporter-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/logging-view-plugin-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/vector-rhel9 Red Hat Enterprise Linux 10 Fix deferred curl Red Hat Enterprise Linux 10 Fix deferred rust Red Hat Enterprise Linux 10 Fix deferred s390utils Red Hat Enterprise Linux 10 Fix deferred snphost Red Hat Enterprise Linux 10 Fix deferred trustee Red Hat Enterprise Linux 10 Fix deferred trustee-guest-components Red Hat Enterprise Linux 6 Fix deferred curl Red Hat Enterprise Linux 7 Fix deferred curl Red Hat Enterprise Linux 8 Fix deferred curl Red Hat Enterprise Linux 9 Fix deferred curl Red Hat Enterprise Linux 9 Fix deferred rust Red Hat Enterprise Linux 9 Fix deferred snphost Red Hat Enterprise Linux 9 Fix deferred trustee-guest-components Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rust Red Hat Hardened Images Not affected rust Red Hat JBoss Core Services Fix deferred curl Red Hat OpenShift Container Platform 4 Fix deferred rhcos Red Hat OpenShift Dev Spaces Fix deferred devspaces/code-rhel9 Red Hat Trusted Profile Analyzer Fix deferred rhtpa/rhtpa-trustification-service-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-4873 https://nvd.nist.gov/vuln/detail/CVE-2026-4873 https://curl.se/docs/CVE-2026-4873.html