Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3108 articles · 171957 vulns · 37/41 feeds (7d)
← Back to list
9.1
CVE-2026-8926EXPLOITED
curl · curl

password leak with netrc and user in URL

Description

When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user.

Affected Products

VendorProductVersions
curlcurl8.20.0, 8.19.0, 8.18.0, 8.17.0, 8.16.0, 8.15.0, 8.14.1, 8.14.0, 8.13.0, 8.12.1, 8.12.0, 8.11.1

References

  • https://curl.se/docs/CVE-2026-8926.json
  • https://curl.se/docs/CVE-2026-8926.html
  • https://hackerone.com/reports/3735184

Related News (3 articles)

Tier A
Microsoft MSRC2h ago
CVE-2026-8926 password leak with netrc and user in URL
→ No new info (linked only)
Tier C
VulDB4d ago
CVE-2026-8926 | cURL up to 8.20.0 insufficiently protected credentials
→ No new info (linked only)
Tier B
BSI Advisories12d ago
[NEU] [mittel] cURL: Mehrere Schwachstellen
→ No new info (linked only)
CVSS 3.19.1 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA KEV❌ No
Actively exploited✅ Yes
PublishedJul 3, 2026
Last enriched4d agov2
Tags
CVE-2026-8926
Trending Score77
Source articles3
Independent3
Info Completeness7/14
Missing: epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-10536
HTTP/2 stream-dependency tree UAF
Trending: 68
CRITICALCVE-2026-8924
trailing dot domain super cookie
Trending: 68
CRITICALCVE-2026-9080EXP
UAF after pause in socket callback
Trending: 61
HIGHCVE-2026-8286
wrong STARTTLS connection reuse
Trending: 59
HIGHCVE-2026-9545
exposing HTTP/3 early data
Trending: 56

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 3, 2026
Discovered by ZDM
Jul 3, 2026
Updated: severity, cvssEstimate, activelyExploited, tags
Jul 3, 2026
Actively Exploited
Jul 6, 2026

Version History

v2
Last enriched 4d ago
v2Tier C4d ago

Updated severity to HIGH, added CVSS estimate of 7.5, marked as actively exploited, and added CVE-2026-8926 tag.

severitycvssEstimateactivelyExploitedtags
via VulDB
v14d ago

Initial creation