Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-13T08:29:08 curl: libcurl: Information disclosure via incorrect Proxy-Authorization header reuse 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CWE-201

A flaw was found in libcurl. When a user performs a transfer over an HTTP proxy using Digest authentication and then reuses the same handle for a second transfer with a different proxy host, libcurl incorrectly sends the `Proxy-Authorization` header intended for the first proxy to the second proxy. This could lead to the disclosure of sensitive authentication information to an unintended proxy, potentially allowing an attacker to gain unauthorized access or impersonate the user.

Moderate: A flaw in libcurl allows for information disclosure when a client reuses a handle for HTTP proxy transfers. If a libcurl application uses Digest authentication with one proxy and then connects to a different proxy using the same handle, the `Proxy-Authorization` header from the initial connection may be inadvertently sent to the second proxy, potentially exposing sensitive authentication data. Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat Hardened Images 2026-05-19T00:00:00Z RHSA-2026:19106 curl-main-8.20.0-2.hum1 Red Hat Enterprise Linux 10 Fix deferred curl Red Hat Enterprise Linux 6 Fix deferred curl Red Hat Enterprise Linux 7 Fix deferred curl Red Hat Enterprise Linux 8 Fix deferred curl Red Hat Enterprise Linux 9 Fix deferred curl Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-7168 https://nvd.nist.gov/vuln/detail/CVE-2026-7168 http://www.openwall.com/lists/oss-security/2026/04/29/14 https://curl.se/docs/CVE-2026-7168.html https://curl.se/docs/CVE-2026-7168.json https://hackerone.com/reports/3697719