2461203 – (CVE-2026-6276) CVE-2026-6276 curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers

Bug 2461203 (CVE-2026-6276) - CVE-2026-6276 curl: libcurl: Information disclosure due to cookie leak when reusing connections with custom Host headers

Summary: CVE-2026-6276 curl: libcurl: Information disclosure due to cookie leak when r...

Keywords:
Status:	NEW
Alias:	CVE-2026-6276
Deadline:	2026-04-29
Product:	Security Response
Classification:	Other
Component:	vulnerability-draft
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-23 16:48 UTC by OSIDB Bzimport
Modified:	2026-04-30 09:52 UTC (History)
CC List:	25 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-23 16:48:30 UTC

A flaw was found in libcurl. This vulnerability allows for information disclosure when a custom `Host:` header is used in an initial HTTP request, and a subsequent request reuses the same connection without specifying a new `Host:` header. In such a scenario, libcurl may incorrectly send cookies intended for the first host to the second host, leading to a cookie leak. This issue is an Origin Validation Error (CWE-346).

Note You need to log in before you can comment on or make changes to this bug.

adudiak
bbrownin
crizzo
csutherl
dbosanac
jclere
jmitchel
jreimann
kaycoth
kshier
mdessi
mrizzi
pbohmill
pcattana
pjindal
plodge
rhel-process-autobot
sdawley
security-response-team
stcannon
szappis
teagle
vchlup
watson-tool-maintainers
yguenane