Vulnerability in Curl

CVE-2026-3783

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redi…

EPSS: 0.000 (8.5th percentile) — read the EPSS interpretation.

Affected products

  • Curl — versions 8.18.0, 8.17.0, 8.16.0

References