CVE-2026-5545: wrong reuse of HTTP Negotiate connection

Published Apr 29, 2026
·
Updated

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host. libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead. When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. An application that first uses Negotiate authentication to a server with `user1:password1` and then does another operation to the same server asking for any authentication method but for `user2:password2` (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...

Affected Software

2 affected components
curl libcurl
haxx curl>=7.10.6<8.20.0

Remediation

Patch Available

https://curl.se/docs/CVE-2026-5545.html

Event History

May 13, 2026
CVE Published
via MITRE·08:27 AM
Data Sourced
via MITRE·08:27 AM
DescriptionWeakness
Data Sourced
via NVD·01:01 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-5545?

CVE-2026-5545 has a medium severity rating due to potential unauthorized access risks.

2

How do I fix CVE-2026-5545?

To fix CVE-2026-5545, upgrade to the latest version of libcurl that addresses this vulnerability.

3

What software is affected by CVE-2026-5545?

CVE-2026-5545 affects certain versions of curl and libcurl between 7.10.6 and 8.20.0.

4

What is the impact of CVE-2026-5545?

The impact of CVE-2026-5545 can lead to inadvertent reuse of connections, possibly resulting in authentication errors.

5

How can I determine if I am using a vulnerable version regarding CVE-2026-5545?

To determine if you are using a vulnerable version for CVE-2026-5545, check your libcurl version against the specified affected version range.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203