<Vulnerability name="CVE-2026-9547">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-03T06:18:44</PublicDate>
    <Bugzilla id="2496758" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496758" xml:lang="en:us">
curl: curl: Man-in-the-middle attack via SSH host key bypass
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>7.4</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-347</CWE>
    <Details xml:lang="en:us" source="Mitre">
When a libcurl-based application performs transfers via `SCP://` or `SFTP://`
and utilizes the `CURLOPT_SSH_KEYFUNCTION` callback, it may silently accept an
untrusted server. This vulnerability occurs when a server presents a host key
type that does not match the specific key type already recorded for that host
in the `known_hosts` file. Instead of rejecting the mismatch, the callback
mechanism fails to properly enforce the restriction, allowing the connection
to succeed without warning and risking a potential man-in-the-middle attack.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in curl. When a libcurl-based application uses SCP:// or SFTP:// for transfers and employs the CURLOPT_SSH_KEYFUNCTION callback, it may silently accept an untrusted server. This occurs if the server's host key type differs from the one stored in the known_hosts file. The callback mechanism fails to enforce the host key restriction, enabling a connection to an untrusted server and risking a man-in-the-middle attack.
    </Details>
    <Statement xml:lang="en:us">
This is an Important flaw where libcurl-based applications performing SCP or SFTP transfers with the CURLOPT_SSH_KEYFUNCTION callback may silently accept an untrusted server. This occurs when a server presents a host key type that differs from the one recorded in the known_hosts file, bypassing a critical host key verification and enabling potential man-in-the-middle attacks. The vulnerability requires specific application callback usage, not a general curl client default.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-06-24T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:29017">RHSA-2026:29017</Advisory>
        <Package name="curl-main">curl-main-8.21.0-0.1.hum1</Package>
    </AffectedRelease>
    <AffectedRelease cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-02T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:34975">RHSA-2026:34975</Advisory>
        <Package name="rust-main">rust-main-1.96.1-1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Affected</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>curl</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Affected</FixState>
        <PackageName>devspaces/code-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:trusted_profile_analyzer:2">
        <ProductName>Red Hat Trusted Profile Analyzer</ProductName>
        <FixState>Affected</FixState>
        <PackageName>rhtpa/rhtpa-trustification-service-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-9547
https://nvd.nist.gov/vuln/detail/CVE-2026-9547
https://curl.se/docs/CVE-2026-9547.html
https://curl.se/docs/CVE-2026-9547.json
https://hackerone.com/reports/3751712
    </References>
</Vulnerability>