CVE-2026-3784

March 12, 2026, 2:09 p.m.

6.5
Medium

Description

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Product(s) Impacted

Vendor Product Versions
Haxx
  • Curl
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-305
Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a haxx curl / / / / / / / /

References

https://curl.se/docs/CVE-2026-3784.html
https://curl.se/docs/CVE-2026-3784.json
https://hackerone.com/reports/3584903
http://www.openwall.com/lists/oss-security/2026/03/11/3

Tags

CWE-305
2499f714-1537-4658-8207-48ae4bb9eae9
2026-03-11
CVE-2026-3784

CVSS Score

6.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: March 11, 2026, 11:16 a.m.
Last Modified: March 12, 2026, 2:09 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

2499f714-1537-4658-8207-48ae4bb9eae9

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.