Unrated

password leak with netrc and user in URL

IdentifiersCVE-2026-8926CWE-522

CVE-2026-8926 is a low-severity curl credential-handling flaw in .netrc processing. When curl is configured to use a .netrc file for credentials and the requested URL includes a username but no password, such as https://user@example.com/, curl can fail to properly bind credential lookup to the specified username. If there is no matching .netrc entry for that username on the target host, affected versions may incorrectly select and use the password belonging to a different user defined for the same host in the .netrc file. The issue affects both the curl command-line tool and libcurl-based applications. According to the provided content, affected versions are curl 8.11.1 through 8.20.0 inclusive; the flaw was introduced by commit e9b9bbac22c26cf67 and fixed by commit 4ae1d7cc2643e47 in curl 8.21.0.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation causes credential confusion and unintended disclosure/use of stored credentials for another account on the same host. In practice, curl may send the wrong user's password during authentication, potentially exposing that credential to the remote service and authenticating as a different local .netrc-defined user than intended. This can result in leakage of sensitive authentication material and unintended account access, although the provided content rates the issue as Low severity.

Mitigation

If you can’t patch tonight, do this now.

Avoid using .netrc for authentication data where possible, as explicitly recommended in the provided content. As an operational workaround, do not combine .netrc credential lookup with URLs that specify only a username and omit the password. Ensure that authentication is supplied explicitly through safer mechanisms, or structure .netrc usage so that ambiguous multi-user entries for the same host are not relied upon.

Remediation

Patch, then assume compromise.

Upgrade curl to version 8.21.0 or later, which contains the fix for CVE-2026-8926. If immediate upgrade is not possible, apply the vendor patch associated with fix commit 4ae1d7cc2643e47. Review any applications or scripts that rely on .netrc-based authentication with usernames embedded in URLs, especially where multiple accounts are defined for the same host.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security affairsNews

Jun 25, 2026

Curl Fixes a 25-Year-Old Bug in Its Largest CVE Release Yet - Security Affairs

A credential confusion vulnerability in curl's .netrc credential handling that could cause curl to use a password belonging to a different user for the same host when a username is supplied without a password.

cyber security newsNews

Jun 25, 2026

25-Year-Old Vulnerability in curl Used by 30 Billion Devices Finally Patched

A curl/libcurl vulnerability in .netrc credential handling that can cause credential confusion or password leakage by selecting the wrong user's password for the same host.

security weekNews

Jun 25, 2026

25-Year-Old Vulnerability Patched in Curl - SecurityWeek

A curl/libcurl vulnerability described as credential confusion.

daniel haxx seNews

Jun 24, 2026

curl 8.21.0 | daniel.haxx.se

A low-severity curl/libcurl vulnerability that can leak a password when using netrc together with a username embedded in the URL.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-8926

NVD

nvd.nist.gov/vuln/detail/CVE-2026-8926

MITRE CWE · CWE-522

cwe.mitre.org