CVE-2026-6276: stale custom cookie host causes cookie leak

Q: What is the severity of CVE-2026-6276?

CVE-2026-6276 is considered a moderate severity vulnerability due to the risk of cookie leakage.

Q: How do I fix CVE-2026-6276?

To fix CVE-2026-6276, ensure that custom Host headers are properly managed and avoid using stale requests without resetting the Host header.

Q: What kind of applications are affected by CVE-2026-6276?

CVE-2026-6276 affects applications that use libcurl for HTTP requests with custom Host headers.

Q: What is the impact of CVE-2026-6276 on user privacy?

The impact of CVE-2026-6276 on user privacy includes the potential exposure of sensitive cookies to unintended hosts.

Q: When was CVE-2026-6276 reported?

CVE-2026-6276 was reported in 2026, highlighting the importance of managing HTTP request headers securely.

Published Apr 29, 2026

Updated

Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.

Affected Software

2 affected components

curl libcurl

haxx curl>=7.71.0<8.20.0

Remediation

Patch Available

https://curl.se/docs/CVE-2026-6276.html

Event History

May 13, 2026

CVE Published

via MITRE·08:28 AM

Data Sourced

via MITRE·08:28 AM

DescriptionWeakness

Data Sourced

via NVD·01:01 PM

RemedyDescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-6276?

CVE-2026-6276 is considered a moderate severity vulnerability due to the risk of cookie leakage.

How do I fix CVE-2026-6276?

To fix CVE-2026-6276, ensure that custom Host headers are properly managed and avoid using stale requests without resetting the Host header.

What kind of applications are affected by CVE-2026-6276?

CVE-2026-6276 affects applications that use libcurl for HTTP requests with custom Host headers.

What is the impact of CVE-2026-6276 on user privacy?

The impact of CVE-2026-6276 on user privacy includes the potential exposure of sensitive cookies to unintended hosts.

When was CVE-2026-6276 reported?

CVE-2026-6276 was reported in 2026, highlighting the importance of managing HTTP request headers securely.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.

CVE-2026-6276: stale custom cookie host causes cookie leak

Affected Software

Remediation

Patch Available

Event History

Don't miss critical vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2026-6276?

How do I fix CVE-2026-6276?

What kind of applications are affected by CVE-2026-6276?

What is the impact of CVE-2026-6276 on user privacy?

When was CVE-2026-6276 reported?

Company

Resources

Contact