Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: curl (1 article)Clear

Curl's largest security release fixes 18 flaws, including a 25-year-old bug

The curl project shipped its largest-ever security release, version 8.21.0, fixing 18 vulnerabilities, among them a flaw that had gone unnoticed for 25 years. That bug (CVE-2026-8932) lets an application reuse an existing connection even after its client certificate or key changed, allowing an authentication bypass; it affects software built on the libcurl library rather than the command-line tool. Other fixes address credential confusion, memory-corruption bugs, and improper host validation. Most are rated medium or low, but libcurl is embedded in an enormous range of products, from IoT devices to CI/CD pipelines and cars, so the practical reach is large and easy to overlook.

Check
Identify where curl and especially the libcurl library are used across your applications, devices, containers, and build pipelines, since most exposure comes from embedded libcurl rather than the command-line tool.
Affected
Applications and devices built on libcurl before version 8.21.0 (CVE-2026-8932 and others); those using mutual TLS with changing client certificates face an authentication-bypass risk through connection reuse.
Fix
Update to curl and libcurl 8.21.0, rebuild and redeploy software that bundles libcurl, and prioritize systems using mutual TLS or handling credentials, including embedded and IoT devices that update slowly.