Latest release, curl/libcurl 8.20.0 Fixes Security Vulnerabilities
Posted: Wed Apr 29, 2026 2:29 pm
The latest release, curl/libcurl 8.20.0, fixes several security vulnerabilities disclosed on April 29, 2026. Versions up to and including 8.19.0 were affected.
Important: Not every vulnerability affects every system directly. The risk is higher if applications use libcurl with features such as proxy authentication, redirects, SMB, cookies, .netrc, Digest authentication, or HTTP Negotiate/Kerberos.
Examples of fixed CVEs:
CVE-2026-5545 – incorrect reuse of HTTP Negotiate connections
CVE-2026-5773 – incorrect reuse of SMB connections
CVE-2026-6253 – proxy credentials may leak during redirects
CVE-2026-6429 – .netrc credentials may leak over proxy connections
CVE-2026-7168 – Digest authentication state may leak between proxies
The curl project recommends upgrading to curl/libcurl 8.20.0 or applying your distribution’s security patches.
On Debian/Ubuntu, you can check and update with:
In…login to view the rest of this post
Important: Not every vulnerability affects every system directly. The risk is higher if applications use libcurl with features such as proxy authentication, redirects, SMB, cookies, .netrc, Digest authentication, or HTTP Negotiate/Kerberos.
Examples of fixed CVEs:
CVE-2026-5545 – incorrect reuse of HTTP Negotiate connections
CVE-2026-5773 – incorrect reuse of SMB connections
CVE-2026-6253 – proxy credentials may leak during redirects
CVE-2026-6429 – .netrc credentials may leak over proxy connections
CVE-2026-7168 – Digest authentication state may leak between proxies
The curl project recommends upgrading to curl/libcurl 8.20.0 or applying your distribution’s security patches.
On Debian/Ubuntu, you can check and update with:
Code: Select all
curl --version
apt list --upgradable | grep curl
sudo apt update
sudo apt upgrade