CVE-2026-1965
Description
libcurl can in some circumstances reuse the wrong connection when asked to doan Negotiate-authenticated HTTP or HTTPS request.libcurl features a pool of recent connections so that subsequent requests canreuse an existing connection to avoid overhead.When reusing a connection a range of criterion must first be met. Due to alogical error in the code, a request that was issued by an application couldwrongfully reuse an existing connection to the same server that wasauthenticated using different credentials. One underlying reason being thatNegotiate sometimes authenticates *connections* and not *requests*, contraryto how HTTP is designed to work.An application that allows Negotiate authentication to a server (that respondswanting Negotiate) with user1:password1 and then does another operation tothe same server also using Negotiate but with user2:password2 (while theprevious connection is still alive) - the second request wrongly reused thesame connection and since it then sees that the Negotiate negotiation isalready made, it just sends the request over that connection thinking it usesthe user2 credentials when it is in fact still using the connectionauthenticated for user1...The set of authentication methods to use is set with CURLOPT_HTTPAUTH.Applications can disable libcurls reuse of connections and thus mitigate thisproblem, by using one of the following libcurl options to alter howconnections are or are not reused: CURLOPT_FRESH_CONNECT,CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using thecurl_multi API).
Risk Information
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2026-3805,CVE-2026-3784,CVE-2026-3783,CVE-2026-1965 are fixed in Curl For Windows 8.19.0 | Windows |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234