DEBIAN-CVE-2026-3784

DEBIAN-CVE-2026-3784 PUBLISHED CVSS 6.5 MEDIUM

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Risk Scores

CVSS 3.1

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Debian:12	curl	8.13.0-4, 8.18.0~rc1-1+exp1, 8.18.0~rc2-1
Debian:14	curl	8.19.0~rc3-1, 8.14.1-2, 8.14.1-2+exp1
Debian:13	curl	8.14.1-2, 8.14.1-2, 8.14.1-2
Debian:11	curl	8.4.0-1, 7.74.0-1.3, 7.74.0-1.3+deb11u1

Exploit Intelligence

2026.xml (github-poc)
2026.xml (github-poc)
glcve_test.go (github-poc)

Timeline

Mar 11, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-3784 advisory

Open in Interactive Console →