Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-29T00:00:00 curl: curl: Proxy credential disclosure via redirects to unauthenticated proxies 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CWE-201

A flaw was found in curl. When curl is configured to use distinct proxies for different URL schemes, a redirect from a URL using an authenticated proxy to one using an unauthenticated proxy can inadvertently expose the initial proxy's credentials. This improper credential management (CWE-522) may allow an attacker to gain unauthorized access or information by intercepting these disclosed credentials.

Moderate: This flaw in curl and libcurl allows proxy credentials to be inadvertently exposed to a second proxy during a redirect. This issue arises when curl is configured to use distinct proxies for different URL schemes, the initial proxy requires authentication, and a subsequent proxy does not. Red Hat products utilizing curl or libcurl in such a specific proxy chaining configuration may be affected. To mitigate this issue, avoid configuring curl or libcurl to use proxies that require credentials. This prevents the scenario where credentials for a first proxy could be inadvertently passed to a second proxy during a redirect. Red Hat Hardened Images 2026-05-02T00:00:00Z RHSA-2026:12916 curl-main-8.20.0-0.1.hum1 Confidential Compute Attestation Fix deferred build-of-trustee/trustee-rhel9 Confidential Compute Attestation Fix deferred confidential-compute-attestation-tech-preview/trustee-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-operator-bundle Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-podvm-builder-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-podvm-payload-rhel9 Confidential Compute Attestation Fix deferred openshift-sandboxed-containers/osc-rhel9-operator Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/cluster-logging-operator-bundle Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/cluster-logging-rhel9-operator Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/eventrouter-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/fluentd-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/log-file-metric-exporter-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/logging-view-plugin-rhel9 Logging Subsystem for Red Hat OpenShift Fix deferred openshift-logging/vector-rhel9 Red Hat Enterprise Linux 10 Fix deferred curl Red Hat Enterprise Linux 10 Fix deferred rust Red Hat Enterprise Linux 10 Fix deferred s390utils Red Hat Enterprise Linux 10 Fix deferred snphost Red Hat Enterprise Linux 10 Fix deferred trustee Red Hat Enterprise Linux 10 Fix deferred trustee-guest-components Red Hat Enterprise Linux 6 Fix deferred curl Red Hat Enterprise Linux 7 Fix deferred curl Red Hat Enterprise Linux 8 Fix deferred curl Red Hat Enterprise Linux 9 Fix deferred curl Red Hat Enterprise Linux 9 Fix deferred rust Red Hat Enterprise Linux 9 Fix deferred snphost Red Hat Enterprise Linux 9 Fix deferred trustee-guest-components Red Hat Enterprise Linux AI (RHEL AI) 3 Fix deferred rust Red Hat Hardened Images Not affected rust Red Hat JBoss Core Services Fix deferred curl Red Hat OpenShift Container Platform 4 Fix deferred rhcos Red Hat OpenShift Dev Spaces Fix deferred devspaces/code-rhel9 Red Hat Trusted Profile Analyzer Fix deferred rhtpa/rhtpa-trustification-service-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-6253 https://nvd.nist.gov/vuln/detail/CVE-2026-6253 https://curl.se/docs/CVE-2026-6253.html