When a libcurl-based application performs transfers via SCP:// or SFTP://
and utilizes the CURLOPT_SSH_KEYFUNCTION callback, it may silently accept an
untrusted server. This vulnerability occurs when a server presents a host key
type that does not match the specific key type already recorded for that host
in the known_hosts file. Instead of rejecting the mismatch, the callback
mechanism fails to properly enforce the restriction, allowing the connection
to succeed without warning and risking a potential man-in-the-middle attack.
{
"package": "curl",
"affects": "lib",
"last_affected": "8.20.0",
"CWE": {
"id": "CWE-297",
"desc": "Improper Validation of Certificate with Host Mismatch"
},
"issue": "https://hackerone.com/reports/3751712",
"severity": "Low",
"www": "https://curl.se/docs/CVE-2026-9547.html",
"URL": "https://curl.se/docs/CVE-2026-9547.json"
}[
{
"id": "CURL-CVE-2026-9547-e5ddacc0",
"digest": {
"length": 4615.0,
"function_hash": "171591672620915120098914005398439744356"
},
"target": {
"function": "myssh_is_known",
"file": "lib/vssh/libssh.c"
},
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/0b8dbbc63c98777e4584cb9fbd71df3464008ad1",
"deprecated": false,
"signature_type": "Function"
},
{
"id": "CURL-CVE-2026-9547-ffd5c5b3",
"digest": {
"line_hashes": [
"19522727956082994505377891717732253881",
"17505745399782688697084999810884215111",
"65466782891270922555303879365870593631",
"39998244195617753293703183793609467932"
],
"threshold": 0.9
},
"target": {
"file": "lib/vssh/libssh.c"
},
"signature_version": "v1",
"source": "https://github.com/curl/curl.git/commit/0b8dbbc63c98777e4584cb9fbd71df3464008ad1",
"deprecated": false,
"signature_type": "Line"
}
]
"https://curl.se/docs/CURL-CVE-2026-9547.json"
"2026-07-07T18:35:03Z"