DEBIAN-CVE-2026-3783

DEBIAN-CVE-2026-3783 PUBLISHED CVSS 5.300000190734863 MEDIUM

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.

Risk Scores

CVSS 3.1

5.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:14	curl	0, 8.19.0, 8.19.0
Debian:11	curl	8.4.0-1, 7.74.0-1.3, 7.74.0-1.3+deb11u1
Debian:12	curl	8.13.0~rc-1~exp2, 8.13.0-5, 8.13.0-4+exp1
Debian:13	curl	8.15.0-1, 8.15.0-1, 8.15.0

Exploit Intelligence

2026.xml (github-poc)
2026.xml (github-poc)
glcve_test.go (github-poc)

Timeline

Mar 11, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-3783 advisory

Open in Interactive Console →