<Vulnerability name="CVE-2026-9546">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-03T06:18:14</PublicDate>
    <Bugzilla id="2496770" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496770" xml:lang="en:us">
libcurl: libcurl: Information disclosure due to persistent Referer header
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-201</CWE>
    <Details xml:lang="en:us" source="Mitre">
A vulnerability in libcurl caused the HTTP `Referer:` header to persist even
when explicitly cleared. While the documentation states that passing NULL to
`CURLOPT_REFERER` suppresses the header, the option failed to clear the
internal state. As a result the previous referrer string was erroneously
reused and sent in subsequent requests, potentially leaking sensitive
information to unintended servers.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in libcurl. This vulnerability causes the HTTP Referer header to persist even after it has been explicitly cleared. This can lead to the previous referrer string being unintentionally reused and sent in subsequent requests, potentially disclosing sensitive information to unintended servers.
    </Details>
    <Statement xml:lang="en:us">
Important: A flaw in libcurl allows for sensitive information disclosure. Despite attempts to explicitly clear the HTTP Referer header, its internal state persists, leading to the unintended reuse and transmission of previous referrer strings in subsequent requests. This could expose sensitive data to unintended third-party servers in Red Hat products and services that rely on libcurl for HTTP communications.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-24T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:29017">RHSA-2026:29017</Advisory>
        <Package name="curl-main">curl-main-8.21.0-0.1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-02T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:34975">RHSA-2026:34975</Advisory>
        <Package name="rust-main">rust-main-1.96.1-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Not affected</FixState>
        <PackageName>dotnet8.0</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_core_services:1">
        <ProductName>Red Hat JBoss Core Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libcurl-1.dll</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:jboss_core_services:1">
        <ProductName>Red Hat JBoss Core Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>libcurl.so</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-9546
https://nvd.nist.gov/vuln/detail/CVE-2026-9546
https://curl.se/docs/CVE-2026-9546.html
https://curl.se/docs/CVE-2026-9546.json
https://hackerone.com/reports/3754343
    </References>
</Vulnerability>