related option had been changed that should have prohibited reuse.
libcurl keeps previously used connections in a connection pool for subsequent
transfers to reuse if one of them matches the setup. However, some TLS
settings related to client certificates were left out from the configuration
match checks, making them match too easily. In particular options related to
the private key.
Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 07 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-1025 | |
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Mon, 06 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-287 |
Mon, 06 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Mon, 06 Jul 2026 01:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-287 |
Sun, 05 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-20 CWE-640 |
Sun, 05 Jul 2026 01:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-20 CWE-640 |
Sat, 04 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-285 CWE-287 |
Sat, 04 Jul 2026 01:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-285 CWE-287 |
Fri, 03 Jul 2026 21:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-285 CWE-287 |
Fri, 03 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Curl
Curl curl |
|
| Vendors & Products |
Curl
Curl curl |
Fri, 03 Jul 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-285 CWE-287 |
Fri, 03 Jul 2026 06:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | libcurl would reuse a previously created connection even when some mTLS config related option had been changed that should have prohibited reuse. libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, some TLS settings related to client certificates were left out from the configuration match checks, making them match too easily. In particular options related to the private key. | |
| Title | incomplete mTLS config matching in conn reuse | |
| References |
|
Status: PUBLISHED
Assigner: curl
Published:
Updated: 2026-07-06T16:59:07.104Z
Reserved: 2026-05-19T08:56:58.825Z
Link: CVE-2026-8932
Updated: 2026-07-06T16:59:01.856Z
No data.
OpenCVE Enrichment
Updated: 2026-07-07T08:15:05Z