CVE-2026-5545: curl Fixes Wrong HTTP Negotiate Connection Reuse

Impact

CVE-2026-5545 affects curl and libcurl. The flaw can cause an application to send an authenticated HTTP or HTTPS request over a connection authenticated as a different user.

Severity is Medium. NVD lists CVSS v3.1 as 6.5, with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N. CISA-ADP lists the same score and vector in the NVD record.

This is not remote code execution. It is credential confusion. That still matters. In affected workflows, one user action can be processed under another user's existing authenticated connection.

Affected Products

Affected versions are curl and libcurl 7.10.6 through 8.19.0. curl 8.20.0 and later are not affected. Versions before 7.10.6 are not affected because the issue dates to Negotiate support.

The vulnerable component is libcurl's HTTP authentication and connection reuse logic. The curl command-line tool is also affected.

The exposure is broader than visible curl deployments. Many products embed libcurl without showing it in the user interface. Appliances, agents, developer tools, backup clients, package managers, security products, and internal services may carry vulnerable libcurl builds.

Technical Details

The bug is in connection reuse after HTTP Negotiate authentication. HTTP Negotiate commonly wraps Kerberos or NTLM through SPNEGO. It is used in enterprise environments for single sign-on and domain authentication.

libcurl keeps a pool of recent connections. That is normal. Reusing a TLS connection saves handshake cost and improves throughput. Reuse is only safe when the new request matches the security properties of the existing connection.

CVE-2026-5545 breaks that assumption in a specific case. An application first authenticates to a host with Negotiate as one user. The connection remains alive. The same application then sends a second request to the same host using different credentials and an authentication method set through CURLOPT_HTTPAUTH. Due to a logic error, libcurl can select the existing Negotiate-authenticated connection anyway.

The result is identity confusion. The application believes the second request uses the second credential set. The server sees the request on a connection already authenticated as the first user.

That can create integrity impact. The wrong account can perform the action. It can also create limited confidentiality impact if the second operation receives data bound to the first identity.

Attack complexity is high because exploitation depends on application behavior. The attacker needs a sequence where the same process talks to the same host, uses Negotiate, changes credentials, and keeps the earlier connection alive. No user interaction is required by the CVSS vector. No prior privileges are required by the CVSS vector.

NVD maps the weakness to CWE-613, Insufficient Session Expiration. The curl advisory maps it to CWE-305, Authentication Bypass by Primary Weakness. Both point to the same operational problem: authenticated state outlives the assumptions made by the next request.

Mitigation

Upgrade to curl and libcurl 8.20.0. This is the preferred fix. The curl advisory states that 8.20.0 prevents Negotiate connections from being wrongly reused.

If immediate upgrade is not possible, apply the upstream patch and rebuild libcurl. The fixed commit is available in the curl GitHub repository.

If neither option is available, reduce exposure. Avoid HTTP Negotiate in affected applications. Disable or restrict connection reuse where possible. Relevant libcurl controls include CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS, and CURLMOPT_MAX_HOST_CONNECTIONS for applications using the multi interface.

Administrators should inventory embedded libcurl copies. Do not stop at operating system packages. Check statically linked binaries, vendor appliances, containers, language bindings, and bundled developer tools.

Timeline

The issue was reported to the curl project on April 1, 2026. curl notified distros@openwall on April 23, 2026. The advisory and curl 8.20.0 were published on April 29, 2026. NVD published the CVE record on May 13, 2026.

Reporters are credited as Quac Tran and Ngoc Hieu. The patch is credited to Stefan Eissing.

Required Action

Patch now if your software uses libcurl with authenticated HTTP or HTTPS. Prioritize systems using Negotiate, Kerberos, NTLM, or enterprise single sign-on flows.

Confirm the linked libcurl version at runtime. Rebuild affected applications. Redeploy containers. Validate vendor firmware and third-party agents. Monitor for unexpected account attribution in application logs where one service process performs requests for multiple users.