A vulnerability in libcurl caused the HTTP Referer: header to persist even
when explicitly cleared. While the documentation states that passing NULL to
CURLOPT_REFERER suppresses the header, the option failed to clear the
internal state. As a result, the previous referrer string was erroneously
reused and sent in subsequent requests, potentially leaking sensitive
information to unintended servers.
{
"package": "curl",
"affects": "lib",
"last_affected": "8.20.0",
"CWE": {
"id": "CWE-200",
"desc": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"issue": "https://hackerone.com/reports/3754343",
"severity": "Low",
"www": "https://curl.se/docs/CVE-2026-9546.html",
"URL": "https://curl.se/docs/CVE-2026-9546.json"
}[
{
"id": "CURL-CVE-2026-9546-7ba9ca43",
"digest": {
"line_hashes": [
"329802710635362475633966257142929289229",
"59722172210655117825890418870938329781",
"183831522990858182837473479172905867047",
"304554302798540308152858876043779062238"
],
"threshold": 0.9
},
"target": {
"file": "lib/transfer.c"
},
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/862e8a74a84478d82973471b4f49dc2746c1780e",
"deprecated": false,
"signature_type": "Line"
},
{
"id": "CURL-CVE-2026-9546-93bc1aa3",
"digest": {
"length": 3790.0,
"function_hash": "192731219037552860576466850254657292841"
},
"target": {
"function": "Curl_pretransfer",
"file": "lib/transfer.c"
},
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/862e8a74a84478d82973471b4f49dc2746c1780e",
"deprecated": false,
"signature_type": "Function"
}
]
"https://curl.se/docs/CURL-CVE-2026-9546.json"
"2026-07-07T18:35:02Z"