CVE-2026-9546 (GCVE-0-2026-9546)
Vulnerability from cvelistv5 – Published: 2026-07-03 06:18 – Updated: 2026-07-03 06:18
VLAI
Title
sending old referer
Summary
A vulnerability in libcurl caused the HTTP `Referer:` header to persist even
when explicitly cleared. While the documentation states that passing NULL to
`CURLOPT_REFERER` suppresses the header, the option failed to clear the
internal state. As a result the previous referrer string was erroneously
reused and sent in subsequent requests, potentially leaking sensitive
information to unintended servers.
Severity
No CVSS data available.
Assigner
References
Impacted products
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "curl",
"vendor": "curl",
"versions": [
{
"lessThanOrEqual": "8.20.0",
"status": "affected",
"version": "8.20.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.19.0",
"status": "affected",
"version": "8.19.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.18.0",
"status": "affected",
"version": "8.18.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "renjian on hackerone"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Daniel Stenberg"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in libcurl caused the HTTP `Referer:` header to persist even\nwhen explicitly cleared. While the documentation states that passing NULL to\n`CURLOPT_REFERER` suppresses the header, the option failed to clear the\ninternal state. As a result the previous referrer string was erroneously\nreused and sent in subsequent requests, potentially leaking sensitive\ninformation to unintended servers."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T06:18:14.447Z",
"orgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
"shortName": "curl"
},
"references": [
{
"name": "json",
"url": "https://curl.se/docs/CVE-2026-9546.json"
},
{
"name": "www",
"url": "https://curl.se/docs/CVE-2026-9546.html"
},
{
"name": "issue",
"url": "https://hackerone.com/reports/3754343"
}
],
"title": "sending old referer"
}
},
"cveMetadata": {
"assignerOrgId": "2499f714-1537-4658-8207-48ae4bb9eae9",
"assignerShortName": "curl",
"cveId": "CVE-2026-9546",
"datePublished": "2026-07-03T06:18:14.447Z",
"dateReserved": "2026-05-26T06:45:18.723Z",
"dateUpdated": "2026-07-03T06:18:14.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-9546",
"date": "2026-07-04",
"epss": "0.00206",
"percentile": "0.10783"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-9546\",\"sourceIdentifier\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"published\":\"2026-07-03T07:16:25.893\",\"lastModified\":\"2026-07-03T07:16:25.893\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability in libcurl caused the HTTP `Referer:` header to persist even\\nwhen explicitly cleared. While the documentation states that passing NULL to\\n`CURLOPT_REFERER` suppresses the header, the option failed to clear the\\ninternal state. As a result the previous referrer string was erroneously\\nreused and sent in subsequent requests, potentially leaking sensitive\\ninformation to unintended servers.\"}],\"affected\":[{\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\",\"affectedData\":[{\"vendor\":\"curl\",\"product\":\"curl\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"8.20.0\",\"lessThanOrEqual\":\"8.20.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.19.0\",\"lessThanOrEqual\":\"8.19.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"8.18.0\",\"lessThanOrEqual\":\"8.18.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{},\"references\":[{\"url\":\"https://curl.se/docs/CVE-2026-9546.html\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"},{\"url\":\"https://curl.se/docs/CVE-2026-9546.json\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"},{\"url\":\"https://hackerone.com/reports/3754343\",\"source\":\"2499f714-1537-4658-8207-48ae4bb9eae9\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…