CVE-2026-1965

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:C/A:N

Name of the Vulnerable Software and Affected Versions libcurl (affected versions not specified)

Description libcurl may reuse an incorrect connection when handling Negotiate-authenticated HTTP or HTTPS requests. This occurs because libcurl maintains a pool of recent connections to avoid overhead. A logical error can cause a request to reuse a connection authenticated with different credentials than expected, as Negotiate sometimes authenticates connections rather than individual requests. Specifically, if an application authenticates with user1:password1 and then attempts another operation with user2:password2 while the first connection remains active, the second request might incorrectly reuse the connection associated with user1. The authentication methods are configured using the CURLOPT HTTPAUTH option.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-305

Related Identifiers

BDU:2026-07148

CVE-2026-1965

ECHO-3C02-5957-BBD3

JLSEC-2026-436

OESA-2026-1704

OPENSUSE-SU-2026:10371-1

OPENSUSE-SU-2026:20404-1

RHSA-2026:6893

SUSE-SU-2026:0879-1

SUSE-SU-2026:0885-1

SUSE-SU-2026:0903-1

SUSE-SU-2026:0911-1

SUSE-SU-2026:0921-1

SUSE-SU-2026:1717-1

SUSE-SU-2026:1940-1

SUSE-SU-2026:20668-1

SUSE-SU-2026:20722-1

SUSE-SU-2026:20760-1

SUSE-SU-2026:20918-1

SUSE-SU-2026:21452-1

USN-8084-1

USN-8099-1

Affected Products

Linuxmint

Red Os

Ubuntu

Libcurl

CVE-2026-1965

Weakness Enumeration

Related Identifiers

Affected Products

References · 73