cuThe widely used open-source data transfer tool curl has released a major security update addressing 18 vulnerabilities, including a flaw that has existed in the project for approximately 25 years.
The release marks the largest number of CVEs fixed in a single curl update and follows a community-wide security review initiated after Anthropic's Mythos AI model discovered a vulnerability in curl earlier this year.
18 Security Vulnerabilities Fixed
The latest update resolves:
- 4 Medium-Severity vulnerabilities
- 14 Low-Severity vulnerabilities
Among the most significant issues is CVE-2026-8932, an authentication bypass vulnerability that dates back to curl version 7.7, originally released on March 22, 2001.
According to researchers, the flaw affects libcurl-based applications rather than the curl command-line utility itself.
CVE-2026-8932: mTLS Connection Reuse Flaw
The vulnerability stems from improper handling of mutual TLS (mTLS) connections.
Researchers found that libcurl could incorrectly reuse an existing connection even after the client certificate or private key configuration had changed.
As a result, applications relying on client certificate authentication could unintentionally reuse previously authenticated sessions, potentially leading to authentication bypass scenarios.
Security researchers describe the issue as an mTLS connection reuse vulnerability that may allow credential confusion between different authenticated contexts.
AI-Assisted Vulnerability Discovery
Several of the newly disclosed vulnerabilities were identified by vulnerability management company Aisle, which used AI-assisted analysis to review curl's codebase.
The company reported six new vulnerabilities in 2026, including:
- CVE-2026-8932 — mTLS connection reuse
- CVE-2026-8926 — Credential confusion
- CVE-2026-8925 — Double-free vulnerability
- CVE-2026-9080 — Use-after-free vulnerability
- CVE-2026-10536 — Use-after-free vulnerability
- CVE-2026-9547 — Improper host validation
These findings highlight how AI-powered security analysis is increasingly being used to uncover vulnerabilities in mature open-source projects.
Why Finding Bugs in curl Is Difficult
According to researchers, curl has undergone decades of continuous security scrutiny, making it increasingly difficult to discover new vulnerabilities.
Most obvious flaws have already been identified and fixed, leaving only highly complex issues buried deep within:
- Legacy protocol implementations
- State reuse mechanisms
- Authentication handling logic
- Callback behaviors
- Rare execution paths
- Credential selection routines
Many of the newly discovered vulnerabilities involve subtle edge cases that can remain hidden for years despite extensive auditing.
Impact on the Global Technology Ecosystem
curl is one of the most widely deployed software components in the world.
The project estimates that more than 30 billion devices rely on curl or libcurl for data transfer operations, including:
- Servers
- Cloud infrastructure
- Mobile devices
- Embedded systems
- Automotive platforms
- Enterprise applications
Because of its widespread adoption, vulnerabilities affecting curl can have significant implications across the global software supply chain.
No Known Active Exploitation
At this time, there have been no public reports of active exploitation involving any of the vulnerabilities addressed in this release.
However, security experts recommend updating to the latest version as soon as possible, particularly for organizations that rely on libcurl for authentication, API communication, or secure data transfer.
Recommendations
Organizations should:
- Update curl and libcurl to the latest available version.
- Review applications that utilize client certificate authentication.
- Verify TLS and mTLS configurations.
- Monitor vendor advisories for downstream package updates.
- Conduct security testing on applications using embedded libcurl components.
The discovery of a 25-year-old vulnerability serves as a reminder that even the most mature and heavily audited software projects can still contain hidden security flaws waiting to be uncovered.
