When asking curl to use a `.netrc` file to find credentials and at the same
time specifying a URL with a username(without a password), like
`https://user@example.com/`, curl could wrongly get and use the password for
*another* user set in the `.netrc` file for that host if such a one exists and
there is no match for the specified user.
time specifying a URL with a username(without a password), like
`https://user@example.com/`, curl could wrongly get and use the password for
*another* user set in the `.netrc` file for that host if such a one exists and
there is no match for the specified user.
Advisories
| Source | ID | Title |
|---|---|---|
Ubuntu USN |
USN-8487-1 | curl vulnerabilities |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 03 Jul 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-200 |
Fri, 03 Jul 2026 08:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Curl
Curl curl |
|
| Vendors & Products |
Curl
Curl curl |
Fri, 03 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | When asking curl to use a `.netrc` file to find credentials and at the same time specifying a URL with a username(without a password), like `https://user@example.com/`, curl could wrongly get and use the password for *another* user set in the `.netrc` file for that host if such a one exists and there is no match for the specified user. | |
| Title | password leak with netrc and user in URL | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: curl
Published:
Updated: 2026-07-03T06:15:45.735Z
Reserved: 2026-05-19T08:11:58.393Z
Link: CVE-2026-8926
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-03T09:45:05Z
Weaknesses
Ubuntu USN