A major Curl security update has fixed a record 18 vulnerabilities, including an authentication related flaw that remained hidden in the project for 25 years.
Quick Summary – TLDR:
- Curl 8.21.0 fixes 18 security vulnerabilities, the highest number ever addressed in a single release.
- A 25 year old authentication related bug affecting libcurl has finally been patched.
- The update resolves password leaks, memory corruption, authentication issues, and WebSocket related flaws.
- Organizations using Curl or libcurl are encouraged to upgrade as soon as possible.
What Happened?
The Curl project has released version 8.21.0, delivering the largest security update in its history by fixing 18 vulnerabilities in a single release. Among the fixes is a 25 year old security flaw that dates back to March 2001, making it one of the oldest bugs ever discovered and patched in the widely used open source data transfer tool.
The release follows an intense period of security research, with multiple vulnerabilities identified by independent researchers and security firms. Despite the large number of issues addressed, there are currently no reports of any of these vulnerabilities being actively exploited in real world attacks.
18 CVEs in curl https://t.co/bqxDWhdbGU
— Open Source Security mailing list (@oss_security) June 25, 2026
LOW and MEDIUM severity. Fixed in 8.21.0. Message lists per-CVE titles, severities, and advisory links.
Record Breaking Security Release
The latest release sets multiple milestones for the project. It represents the 275th Curl release and pushes the total number of publicly disclosed Curl vulnerabilities to 206.
Project maintainer Daniel Stenberg acknowledged the unusually high number of security reports received over the past few months. The update includes 276 bug fixes, 531 commits, and contributions from 102 developers, including 69 first time contributors.
The release also becomes the project’s largest security update ever, surpassing all previous versions in the number of vulnerabilities resolved in a single release.
Twenty Five Year Old Bug Finally Resolved
One of the most notable fixes is CVE-2026-8932, an issue involving mutual TLS connection reuse in libcurl.
The flaw was originally introduced in Curl version 7.7, released on March 22, 2001. It allowed libcurl to reuse an existing connection even after the client certificate or private key configuration had changed. This behavior could potentially lead to an authentication bypass in applications using the library.
The vulnerability affects libcurl based applications rather than the Curl command line tool, making it particularly important for software developers who embed the library into their own applications.
Password Leaks and Memory Related Issues Fixed
Out of the 18 vulnerabilities, four were rated Medium severity while the remaining 14 received Low severity ratings.
Some of the most important fixes include:
- CVE-2026-8925, a SASL double free vulnerability that could lead to memory corruption.
- CVE-2026-8927, involving a cross proxy Digest authentication state leak.
- CVE-2026-9079, which fixes a stale proxy password leak.
- CVE-2026-11856, addressing a cross origin Digest authentication state leak.
- CVE-2026-8926, preventing a password leak when combining .netrc credentials with usernames specified in URLs.
- CVE-2026-11586, fixing a WebSocket Auto PONG memory exhaustion issue that could result in denial of service conditions.
- CVE-2026-9080 and CVE-2026-10536, both resolving use after free memory bugs.
- Additional fixes cover SSH host validation, HTTP 3 early data exposure, QUIC busy loop behavior, supercookie handling, and connection reuse problems.
Community Research Played a Key Role
The wave of discoveries began after Anthropic’s Mythos identified a Curl vulnerability earlier this year. That finding sparked a wider community effort to examine older sections of the project’s code.
Security company Aisle also contributed significantly, identifying multiple vulnerabilities through its artificial intelligence powered analysis platform. According to the company, Curl has already had many obvious bugs removed over the years, leaving behind complex issues involving protocol handling, connection reuse, callback behavior, and authentication logic that are much harder to detect.
New Features Arrive Alongside Security Fixes
Although security was the primary focus, Curl 8.21.0 also introduces several new capabilities.
The release adds named glob support for URL patterns and output files, expands support for HTTP 3 proxy CONNECT and MASQUE CONNECT UDP, and introduces SHA-256 host public key support through libssh.
The project also removes HTTP 2 stream dependency tracking and ends support for CURLAUTH DIGEST IE. Developers were also informed that support for NTLM, SMB, TLS SRP, and local cryptographic implementations may be removed in future releases.
With more than 30 billion devices relying on Curl for data transfers across servers, mobile devices, vehicles, and countless software applications, keeping installations updated remains essential for maintaining security.
SQ Magazine Takeaway
I think this release highlights why even the most trusted open source software should never be taken for granted. A security flaw can remain hidden for decades, even in software used by billions of devices worldwide. The Curl community deserves credit for turning one vulnerability into a much broader security review, giving users a significantly stronger and safer release.
