PROBABLYPWNED
VulnerabilitiesJuly 1, 20264 min read

Curl Patches 18 Flaws Including 25-Year-Old mTLS Bypass

Curl 8.21.0 addresses a record 18 CVEs, including CVE-2026-8932—an mTLS authentication bypass introduced in March 2001. AI tools discovered several of the vulnerabilities.

Marcus Chen

The curl project released version 8.21.0 on June 24, patching a record 18 security vulnerabilities in a single update. The most remarkable: a 25-year-old authentication bypass that has existed since curl 7.7, shipped in March 2001.

CVE-2026-8932 affects mutual TLS (mTLS) connection reuse, where curl could inappropriately reuse authenticated connections for subsequent requests that should have required separate authentication. Given that libcurl powers an estimated 30 billion devices—from IoT sensors to cloud infrastructure—the scope of potential exposure is staggering.

The 25-Year-Old Bug

The flaw exists in how curl handles TLS connection pooling when client certificates are involved. In certain configurations, curl would reuse an mTLS-authenticated connection for a request that specified different or no client credentials, effectively bypassing the authentication requirement on the second request.

Exploitation requires specific conditions: the attacker needs to influence connection timing and request sequencing against a target application using libcurl. In practice, this most affects multi-tenant services where different users' requests might share connection pools—think API gateways, reverse proxies, or any service brokering requests on behalf of multiple principals.

Daniel Stenberg, curl's maintainer, documented the bug's age in his release blog post, noting that it was introduced in curl 7.7 alongside the initial mTLS implementation over two decades ago.

AI-Assisted Discovery

The wave of disclosures began on May 11, 2026, when Anthropic's Mythos AI identified an initial vulnerability. The discovery prompted broader scrutiny, with security firm AISLE using AI-powered analysis to uncover 6 of the 18 CVEs—including CVE-2026-8932 itself.

The remaining vulnerabilities span the typical curl attack surface:

  • CVE-2026-8925: SASL double-free that could cause crashes or memory corruption
  • CVE-2026-8927: Environment-set cross-proxy Digest authentication state leak
  • CVE-2026-9079: Stale proxy password leak between connections
  • CVE-2026-9080: Use-after-free in certain error handling paths
  • CVE-2026-9547: Improper host validation enabling request smuggling

All 18 vulnerabilities are rated low to medium severity—no critical or high-severity issues made this release. The mTLS bypass is the most architecturally significant, but individual exploitation scenarios require careful alignment of conditions.

Why Curl Updates Are Different

Unlike a typical application patch, curl updates cascade through the entire software ecosystem. The library is embedded in operating systems, containers, scripting languages, and applications that often don't expose curl as an obvious dependency.

Checking whether you're affected involves more than curl --version. Organizations should audit:

  • Container base images (Alpine, Debian, Ubuntu all ship libcurl)
  • Python, Ruby, PHP, and other language runtime installations
  • Custom applications compiled against libcurl
  • IoT and embedded devices where firmware updates may lag years behind

The 30 billion device estimate comes from curl's ubiquity as the default HTTP client library across platforms. When a vulnerability spans 25 years of releases, the remediation tail extends equally far.

Update Paths

For direct curl installations, upgrade to 8.21.0 or later. Linux distributions will push updated packages through their standard channels—Debian, Ubuntu, and Fedora have already published updates.

Container users should rebuild against updated base images. Organizations using distroless or minimal containers may need to explicitly install the updated curl package in their Dockerfile.

For embedded systems and IoT devices, contact manufacturers for firmware updates. Given the age of the vulnerability, devices that haven't received updates in years almost certainly remain vulnerable—add them to network segmentation and monitoring priorities.

Connection to Recent Supply Chain Attacks

Curl's status as foundational infrastructure makes it a natural target for supply chain attackers. We've covered npm and PyPI supply chain campaigns targeting developer environments recently—curl represents a different attack surface where compromised packages could affect millions of downstream applications simultaneously.

The AI-assisted discovery angle is worth noting. As automated vulnerability research tools become more capable, expect increased disclosure volume for mature, widely-deployed codebases like curl. Projects that have operated for decades accumulate technical debt that human reviewers miss but pattern-matching AI can surface.

For now, patch curl across your infrastructure and add libcurl to your software bill of materials tracking if it isn't already there.

Related Articles