{"id":"CURL-CVE-2026-6276","summary":"stale custom cookie host causes cookie leak","details":"Using libcurl, when a custom `Host:` header is first set for an HTTP request\nand a second request is subsequently done using the same *easy handle* but\nwithout the custom `Host:` header set, the second request would use stale\ninformation and pass on cookies meant for the first host in the second\nrequest. Leak them.","aliases":["CVE-2026-6276"],"modified":"2026-05-29T05:40:13.113032Z","published":"2026-04-29T08:00:00Z","database_specific":{"CWE":{"desc":"Origin Validation Error","id":"CWE-346"},"URL":"https://curl.se/docs/CVE-2026-6276.json","affects":"lib","issue":"https://hackerone.com/reports/3671818","last_affected":"8.19.0","package":"curl","severity":"Low","www":"https://curl.se/docs/CVE-2026-6276.html"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.71.0"},{"fixed":"8.20.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"e15e51384a423be31318b3c9c7d612a1aae661fd"},{"fixed":"3a19987a87f393d9394fe5acc7643f6c263c92db"}]}],"versions":["8.19.0","8.18.0","8.17.0","8.16.0","8.15.0","8.14.1","8.14.0","8.13.0","8.12.1","8.12.0","8.11.1","8.11.0","8.10.1","8.10.0","8.9.1","8.9.0","8.8.0","8.7.1","8.7.0","8.6.0","8.5.0","8.4.0","8.3.0","8.2.1","8.2.0","8.1.2","8.1.1","8.1.0","8.0.1","8.0.0","7.88.1","7.88.0","7.87.0","7.86.0","7.85.0","7.84.0","7.83.1","7.83.0","7.82.0","7.81.0","7.80.0","7.79.1","7.79.0","7.78.0","7.77.0","7.76.1","7.76.0","7.75.0","7.74.0","7.73.0","7.72.0","7.71.1","7.71.0","rc-8_20_0-2","rc-8_20_0-1","curl-8_19_0","rc-8_19_0-3","rc-8_19_0-2","rc-8_19_0-1","curl-8_18_0","rc-8_18_0-3","rc-8_18_0-2","rc-8_18_0-1","curl-8_17_0","curl-8_16_0","curl-8_15_0","curl-8_14_1","curl-8_14_0","curl-8_13_0","curl-8_12_1","curl-8_12_0","curl-8_11_1","curl-8_11_0","curl-8_10_1","curl-8_10_0","curl-8_9_1","curl-8_9_0","curl-8_8_0","curl-8_7_1","curl-8_7_0","curl-8_6_0","curl-8_5_0","tiny-curl-8_4_0","curl-8_4_0","curl-8_3_0","curl-8_2_1","curl-8_2_0","curl-8_1_2","curl-8_1_1","curl-8_1_0","curl-8_0_1","curl-8_0_0","curl-7_88_1","curl-7_88_0","curl-7_87_0","curl-7_86_0","curl-7_85_0","curl-7_84_0","curl-7_83_1","curl-7_83_0","curl-7_82_0","curl-7_81_0","curl-7_80_0","curl-7_79_1","curl-7_79_0","curl-7_78_0","curl-7_77_0","curl-7_76_1","curl-7_76_0","curl-7_75_0","curl-7_74_0","curl-7_73_0","tiny-curl-7_72_0","curl-7_72_0","curl-7_71_1","curl-7_71_0"],"database_specific":{"source":"https://curl.se/docs/CURL-CVE-2026-6276.json","vanir_signatures_modified":"2026-05-29T05:40:13Z","vanir_signatures":[{"deprecated":false,"digest":{"function_hash":"87592061230657955318981218133684999975","length":1414},"id":"CURL-CVE-2026-6276-0ac65ced","signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"file":"lib/http.c","function":"http_header_s"}},{"id":"CURL-CVE-2026-6276-0ffe0f69","signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"file":"lib/request.c"},"deprecated":false,"digest":{"line_hashes":["171988240512984612269587551632163038571","75389831611962138348117264801186539779","73309598378597236808913704521649040122","309646044060919705357756477712025259850"],"threshold":0.9}},{"deprecated":false,"digest":{"function_hash":"32051988689081819522737095878233749408","length":1702},"id":"CURL-CVE-2026-6276-11ff6443","signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"file":"lib/http.c","function":"http_cookies"}},{"deprecated":false,"digest":{"function_hash":"302147203344973433846057051405572447583","length":2418},"id":"CURL-CVE-2026-6276-2729c5da","signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"file":"lib/url.c","function":"Curl_close"}},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"file":"lib/request.h"},"deprecated":false,"digest":{"line_hashes":["174911612641010941780281456357795994083","182851755633630007462614611881954198795","264369094720985994471578876087369011512","223266319994001853435859657481562263016"],"threshold":0.9},"id":"CURL-CVE-2026-6276-4f4a3478","signature_type":"Line"},{"digest":{"length":1808,"function_hash":"305791396478226075161736883888702136045"},"id":"CURL-CVE-2026-6276-5741a933","signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"file":"lib/http.c","function":"http_set_aptr_host"},"deprecated":false},{"signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"file":"lib/http.c"},"deprecated":false,"digest":{"line_hashes":["283982150811995305986753465288461254359","13272546088090968712004108453229921672","167426382410054945077929403440748535987","30112886187398335960284659399942913113","89959965356516376283576457035109926291","65012684279830032400373560626778044514","277638126568657774373486091485254830257","16357392304951050524263955452404846358","98648851675095774467569604512276434063","211464355238834856707255458651466173398","100175197604038361224512095789956406932","109730848940614471037942941140006037492","140193860686819141126457796534230004668","286575543071640766658936213512709959211","46397033835876317614014667242428368194","243253942449659807455321154521747228966","165774944775710093316824606978267144930","258653442541979759167112828639262956820","192064049689208402819665008320946912087"],"threshold":0.9},"id":"CURL-CVE-2026-6276-64949095","signature_type":"Line"},{"target":{"file":"lib/url.c"},"deprecated":false,"digest":{"line_hashes":["254921028774265211208121895098925147474","304514420562509900711684113576259828185","254392577978580508779840959026138582541","222543298672355698477439219408390343716"],"threshold":0.9},"id":"CURL-CVE-2026-6276-bd4dcaea","signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db"},{"deprecated":false,"digest":{"function_hash":"53635957160524668241827803467331392725","length":1532},"id":"CURL-CVE-2026-6276-c0002ed9","signature_type":"Function","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"function":"Curl_req_hard_reset","file":"lib/request.c"}},{"digest":{"line_hashes":["47901756535975908674893528439717975135","117783477264053496164275795880668466993","5957519917623989520335370390434225490","189490742605084598927439303412946635010","52306912415285677421639882584265520515","174420618053987917779352372379083604925"],"threshold":0.9},"id":"CURL-CVE-2026-6276-ebf2e4e4","signature_type":"Line","signature_version":"v1","source":"https://github.com/curl/curl.git/commit/3a19987a87f393d9394fe5acc7643f6c263c92db","target":{"file":"lib/urldata.h"},"deprecated":false}]}}],"schema_version":"1.7.5","credits":[{"name":"Muhamad Arga Reksapati","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}