{ "threat_severity" : "Moderate", "public_date" : "2026-04-29T00:00:00Z", "bugzilla" : { "description" : "curl: libcurl: Credential leak via reused proxy connection during HTTP redirects", "id" : "2461205", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2461205" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-201", "details" : [ "A flaw was found in libcurl. When configured to use a .netrc file for credentials and follow HTTP redirects, libcurl can inadvertently send the password from the initial connection to the redirected host. This sensitive information disclosure occurs when both the original and redirect URLs use clear text HTTP, are performed over the same HTTP proxy, and the same connection is reused. This vulnerability, categorized as an Exposure of Sensitive Information to an Unauthorized Actor (CWE-200), could allow an attacker to obtain user credentials." ], "statement" : "Moderate: A flaw in libcurl could lead to credential leakage. This issue occurs when libcurl is configured to use a `.netrc` file for credentials and follows HTTP redirects, potentially exposing passwords to the redirected host. Exploitation requires both the original and redirect URLs to be clear text HTTP, performed over the same HTTP proxy, and with connection reuse. The curl command-line tool is not affected by this vulnerability.", "affected_release" : [ { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-05-02T00:00:00Z", "advisory" : "RHSA-2026:12916", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "curl-main-8.20.0-0.1.hum1" } ], "package_state" : [ { "product_name" : "Confidential Compute Attestation", "fix_state" : "Fix deferred", "package_name" : "build-of-trustee/trustee-rhel9", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Confidential Compute Attestation", "fix_state" : "Fix deferred", "package_name" : "confidential-compute-attestation-tech-preview/trustee-rhel9", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Confidential Compute Attestation", "fix_state" : "Fix deferred", "package_name" : "openshift-sandboxed-containers/osc-operator-bundle", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Confidential Compute Attestation", "fix_state" : "Fix deferred", "package_name" : "openshift-sandboxed-containers/osc-podvm-builder-rhel9", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Confidential Compute Attestation", "fix_state" : "Fix deferred", "package_name" : "openshift-sandboxed-containers/osc-podvm-payload-rhel9", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Confidential Compute Attestation", "fix_state" : "Fix deferred", "package_name" : "openshift-sandboxed-containers/osc-rhel9-operator", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/cluster-logging-operator-bundle", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/cluster-logging-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/eventrouter-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/fluentd-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/log-file-metric-exporter-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/logging-view-plugin-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/vector-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "rust", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "s390utils", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "snphost", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "trustee", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "trustee-guest-components", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Fix deferred", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "curl", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "rust", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "snphost", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "trustee-guest-components", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "rust", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Not affected", "package_name" : "rust", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat JBoss Core Services", "fix_state" : "Fix deferred", "package_name" : "curl", "cpe" : "cpe:/a:redhat:jboss_core_services:1" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "rhcos", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Fix deferred", "package_name" : "devspaces/code-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Trusted Profile Analyzer", "fix_state" : "Fix deferred", "package_name" : "rhtpa/rhtpa-trustification-service-rhel9", "cpe" : "cpe:/a:redhat:trusted_profile_analyzer:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-6429\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6429\nhttps://curl.se/docs/CVE-2026-6429.html" ], "name" : "CVE-2026-6429", "mitigation" : { "value" : "To prevent the credential leak, avoid using the combination of .netrc for credentials, clear text HTTP URLs, and an HTTP proxy when making requests with libcurl. This operational control prevents the specific conditions that enable the vulnerability.", "lang" : "en:us" }, "csaw" : false }