Three curl vulnerabilities involve credential and token leakage due to improper connection reuse and redirect handling, with attack vectors via Negotiate-authenticated HTTP/HTTPS requests (CVE-2026-1965, CVSS 6.5), OAuth2 bearer token redirects (CVE-2026-3783, CVSS 5.3), and HTTP proxy connections with differing credentials (CVE-2026-3784, CVSS 6.5). Affected versions are haxx curl 7.10.6 through 8.18.9, with specific ranges varying per CVE. The fixed versions are curl 8.19.0 for CVE-2026-1965 and CVE-2026-3783, and curl 8.18.0 for CVE-2026-3784.
Zhicheng Chen discovered that curl could incorrectly reuse the wrong connection for Negotiate-authenticated HTTP or HTTPS requests. This could result in the use of credentials from a different connection, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-1965) It was discovered that curl incorrectly leaked OAuth2 bearer tokens when following a redirect. This could result in tokens being sent to the wrong host, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. (CVE-2026-3783) Muhamad Arga Reksapati discovered that curl incorrectly reused existing HTTP proxy connections even if the request used different credentials. This could result in the use of incorrect credentials, contrary to expectations. (CVE-2026-3784)