25-Year-Old Vulnerability Patched in Curl

Summary

The open source curl data transfer tool released patches for 18 vulnerabilities (4 medium, 14 low-severity), marking the largest single update in the project's history. A critical flaw tracked as CVE-2026-8932, introduced in curl version 7.7 from March 2001, allows authentication bypass via improper mTLS connection reuse in libcurl. The vulnerabilities were discovered through a community effort initiated by Anthropic's Mythos AI model, with Aisle's AI platform identifying additional weaknesses including credential confusion, double-free, and use-after-free issues.

Full text

The open source data transfer tool and library curl has been updated this week with patches for 18 vulnerabilities, including one introduced 25 years ago. The flaws, four medium and 14 low-severity, were discovered as part of a community effort after Anthropic’s Mythos discovered a single curl bug in early May. This release resolves the highest number of CVEs patched with a single curl update, including an issue that was introduced in version 7.7, shipped on March 22, 2001. Tracked as CVE-2026-8932, it is described as an mTLS connection reuse and could lead to authentication bypass. It affects libcurl applications and not the curl command-line tool. The CVE exists because “libcurl could reuse an existing connection even after client certificate or private key settings had changed,” vulnerability management firm Aisle says. Aisle used its AI platform to identify multiple weaknesses across curl and libcurl, six of which were issued a CVE this year, CVE-2026-8932 included.Advertisement. Scroll to continue reading. The other identified flaws include credential confusion (CVE-2026-8926), double-free (CVE-2026-8925), use-after-free (CVE-2026-9080 and CVE-2026-10536), and improper host validation (CVE-2026-9547). As the company suggests, it’s no surprise that Mythos found a single curl bug and that few security issues are being surfaced in the popular tool and library. “Curl is of particular interest to security researchers: the easy bugs are long gone, and what remains is difficult to find: old protocol paths, state reuse, callback behavior, credential selection, and code paths that are easily forgotten about,” Aisle says. Over 30 billion devices use curl today for data transfer, including servers, phones, and cars, and vulnerabilities in it could prove highly valuable to attackers. However, there have been no public reports of successful in-the-wild exploitation of any security defect in curl. Related: Chrome 149 Update Resolves 18 Severe Vulnerabilities Related: Cisco SD-WAN Zero-Day Exploited Months Before Patching Related: Anthropic’s Mythos Model Found Vulnerabilities in Classified US Government Systems, Official Says Related: Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Critical Ubiquiti Vulnerabilities in Attackers’ CrosshairsNew ‘Mistic’ RAT Opens Door to Several Ransomware FamiliesExploitable CI/CD Vulnerabilities Expose Millions of Repositories to HijackingBeyondTrust, LastPass Impacted by Klue-Salesforce IncidentData Exposure Flaws Threaten Dify AI Platform Used by 1 Million AppsFFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS AppliancesOpenAI Refocuses Cybersecurity Efforts on Patching Over DiscoveryRussian Initial Access Broker Behind FortiBleed Campaign Latest News NIST Opens Updated IoT Security Guidance to Public ReviewChrome 149 Update Resolves 18 Severe VulnerabilitiesCisco SD-WAN Zero-Day Exploited Months Before PatchingWhen Information Becomes the Attack Surface – Understanding AI Agent TrapsMicrosoft and Allies Smash Shared Infrastructure of Amadey and StealC MalwareExclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and RiskmacOS Weaknesses Chained to Silently Disable Endpoint Security AgentsThird DraftKings Hacker Sentenced to 18 Months in Prison Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveFable Security has appointed Jacob Berry as Chief Information Security Officer.iCOUNTER has named Ali Waezzadah as Chief Information Security Officer.Roger Hale has joined 1Kosmos as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-8932
• cve — CVE-2026-8926
• cve — CVE-2026-8925
• cve — CVE-2026-9080
• cve — CVE-2026-10536
• cve — CVE-2026-9547

Entities