libcurl mTLS Connection Reuse Authentication Bypass (CVE-2026-8932)
by Ashraf Zaryouh / 0xBlackash · 2026-06-30
- Severity
- Low
- CVE
- CVE-2026-8932
- Category
- network
- Affected product
- libcurl (embedded library; standalone curl CLI unaffected)
- Affected versions
- 7.7 through 8.20.0
- Disclosed
- 2026-06-30
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-30 |
| Last Updated | 2026-06-30 |
| Author / Researcher | Ashraf Zaryouh / 0xBlackash |
| CVE / Advisory | CVE-2026-8932 |
| Category | network |
| Severity | Low |
| CVSS Score | Low (no numeric score published) |
| Status | PoC |
| Tags | authentication-bypass, mTLS, TLS, libcurl, connection-reuse, client-certificate, C, Low |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | libcurl (embedded library; standalone curl CLI unaffected) |
| Versions Affected | 7.7 through 8.20.0 |
| Language / Platform | C (PoC); any platform embedding libcurl |
| Authentication Required | N/A (the bug bypasses mTLS authentication itself) |
| Network Access Required | Yes (HTTPS/TLS endpoint) |
Summary
CVE-2026-8932 is a Low-severity authentication bypass in libcurl’s TLS connection reuse logic. Certain mTLS private-key configuration parameters (key file path, key type, key password) were omitted from the connection-matching comparison performed when libcurl evaluates whether an existing TLS session can be reused. As a result, when an application switches from one client certificate to another within a shared connection pool, libcurl incorrectly reuses the existing TLS session authenticated under the first certificate, rather than performing a fresh handshake with the new certificate. The server receives traffic authenticated as the original client even though the application believes it is using different credentials. Notably, this bug dates to curl 7.7 (2001), making it the oldest security vulnerability ever fixed in the libcurl project — undetected for approximately 25 years. Fixed in libcurl 8.21.0.
Vulnerability Details
Root Cause
libcurl’s SSL session reuse logic evaluates a set of connection parameters to determine whether a cached TLS connection is compatible with a new request. The comparison did not include:
CURLOPT_SSLKEY(private key file path)CURLOPT_SSLKEYTYPE(key type)CURLOPT_KEYPASSWD(key password)
When CURLSHOPT_SHARE + CURL_LOCK_DATA_SSL_SESSION is used to share SSL sessions across handles, a new handle configured with a different client certificate matched the cached session under the old certificate, and the old session was reused without renegotiation.
CWE-305 (Authentication Bypass by Primary Weakness).
Attack Scenario
- Application uses libcurl with shared SSL session (
CURLSHOPT_SHARE). - Request A is made with Client Certificate A — TLS handshake succeeds, session cached.
- Application reconfigures libcurl with Client Certificate B for Request B.
- libcurl finds cached session from Request A matches the (incomplete) comparison criteria.
- libcurl reuses the old TLS session; server authenticates Request B as Certificate A.
- Authentication boundary violated: Request B is processed under the wrong client identity.
Impact
- Incorrect client identity presented to mTLS-gated servers.
- Authentication bypass in multi-tenant or certificate-rotation scenarios.
- Most severe in applications that manage multiple client identities through a shared libcurl session pool (e.g., API gateways, service meshes, embedded agents).
- Standalone
curlCLI is not affected (it does not use shared session pools in this pattern).
Environment / Lab Setup
Compiler: gcc with libcurl dev headers (libcurl < 8.21.0)
Test: mTLS-enabled HTTPS server with two distinct client certificates
Build PoC
| |
Proof of Concept
What the PoC Demonstrates
The PoC creates two libcurl handles sharing an SSL session pool:
- Handle 1: configured with Certificate A.
- Handle 2: configured with Certificate B.
A vulnerable libcurl returns CURLE_OK for both requests and sends both under Certificate A’s TLS session, demonstrating the reuse. A patched libcurl rejects the mismatched session and performs a fresh handshake for Handle 2.
Expected Output (Vulnerable)
[*] Request 1 (Certificate A): CURLE_OK — authenticated as cert_a
[*] Request 2 (Certificate B): CURLE_OK — authenticated as cert_a (BYPASS)
[!] Session reuse detected. Both requests used Certificate A's TLS session.
Expected Output (Patched)
[*] Request 1 (Certificate A): CURLE_OK
[*] Request 2 (Certificate B): CURLE_OK — fresh TLS handshake with cert_b
[+] No bypass. New handshake performed.
Detection & Indicators of Compromise
| |
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade libcurl to 8.21.0 or later |
| Workaround | Avoid CURL_LOCK_DATA_SSL_SESSION sharing across handles that use different client certificates |
| Verify | Audit all applications using libcurl with shared SSL sessions and mTLS client certificates |
References
| |