CVE-2026-6429

medium

Description

When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

References

https://hackerone.com/reports/3677759

https://curl.se/docs/CVE-2026-6429.json

https://curl.se/docs/CVE-2026-6429.html

Details

Source: Mitre, NVD

Published: 2026-05-13

Updated: 2026-05-14

Risk Information

CVSS v2

Base Score: 5.4

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N