CVE-2026-3784 - Vulnerability Details

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
server, even if the new request uses different credentials for the HTTP proxy.
The proper behavior is to create or use a separate connection.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0002.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Curl Subscribe	Curl Subscribe
Haxx Subscribe	Curl Subscribe

Configuration 1 [-]

cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Curl Subscribe	Curl Subscribe

Advisories

Source	ID	Title
Ubuntu USN	USN-8084-1	curl vulnerabilities
Ubuntu USN	USN-8099-1	curl vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/03/11/3
https://curl.se/docs/CVE-2026-3784.html
https://curl.se/docs/CVE-2026-3784.json
https://hackerone.com/reports/3584903
https://nvd.nist.gov/vuln/detail/CVE-2026-3784
https://www.cve.org/CVERecord?id=CVE-2026-3784

History

Fri, 13 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-3784 https://www.cve.org/CVERecord?id=CVE-2026-3784
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 12 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Haxx Haxx curl
CPEs		cpe:2.3:a:haxx:curl::::::::
Vendors & Products		Haxx Haxx curl

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Curl Curl curl
Vendors & Products		Curl Curl curl

Wed, 11 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-305
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 11:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/03/11/3

Wed, 11 Mar 2026 10:30:00 +0000

Type	Values Removed	Values Added
Description		curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.
Title		wrong proxy connection reuse with credentials
References		https://curl.se/docs/CVE-2026-3784.html https://curl.se/docs/CVE-2026-3784.json https://hackerone.com/reports/3584903

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2026-03-11T10:09:21.418Z

Updated: 2026-03-11T15:48:41.725Z

Reserved: 2026-03-08T05:09:52.279Z

Link: CVE-2026-3784

Vulnrichment

Updated: 2026-03-11T10:16:32.844Z

NVD

Status : Analyzed

Published: 2026-03-11T11:16:00.437

Modified: 2026-03-12T14:09:50.470

Link: CVE-2026-3784

Redhat

Severity : Moderate

Publid Date: 2026-03-11T10:09:21Z

Links: CVE-2026-3784 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-12T10:06:03Z

Weaknesses

CWE-305

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object