CVE-2026-6429: netrc credential leak with reused proxy connection
Published Apr 29, 2026
·Updated
When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.
Affected Software
2 affected components
curl libcurl
haxx curl>=7.14.0<8.20.0
Remediation
Patch Available
Event History
May 13, 2026
CVE Published
via MITRE·08:28 AM
Data Sourced
via MITRE·08:28 AM
DescriptionWeakness
Data Sourced
via NVD·01:01 PM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-6429?
CVE-2026-6429 has been classified as a moderate severity vulnerability.
2
How do I fix CVE-2026-6429?
To mitigate CVE-2026-6429, avoid using .netrc files with HTTP redirects and update to a patched version of libcurl.
3
What causes CVE-2026-6429?
CVE-2026-6429 is caused by the improper handling of credentials when following HTTP redirects while using a .netrc file.
4
Which versions of libcurl are affected by CVE-2026-6429?
Versions of libcurl prior to the fix release for CVE-2026-6429 are affected.
5
Can CVE-2026-6429 lead to credential exposure?
Yes, CVE-2026-6429 can lead to the exposure of credentials from the .netrc file when connecting to redirected hosts.