Name CVE-2026-3784 Description curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection. Source CVE (at NVD ; CERT , ENISA , LWN , oss-sec , fulldisc , Debian ELTS , Red Hat , Ubuntu , Gentoo , SUSE bugzilla /CVE , GitHub advisories /code /issues , web search , more )
Vulnerable and fixed packages The table below lists information on source packages.
Source Package Release Version Status curl (PTS )bullseye 7.74.0-1.3+deb11u13 vulnerable bullseye (security) 7.74.0-1.3+deb11u16 vulnerable bookworm 7.88.1-10+deb12u14 vulnerable bookworm (security) 7.88.1-10+deb12u5 vulnerable trixie 8.14.1-2+deb13u2 vulnerable forky 8.19.0-3 fixed sid 8.20.0~rc2-1 fixed
The information below is based on the following data on fixed versions.
Package Type Release Fixed Version Urgency Origin Debian Bugs curl source (unstable) 8.19.0-1
Notes [trixie] - curl <no-dsa> (Minor issue) [bookworm] - curl <no-dsa> (Minor issue) [bullseye] - curl <postponed> (Minor issue) https://curl.se/docs/CVE-2026-3784.html https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (curl-7_7_alpha2)https://github.com/curl/curl/commit/5f13a7645e565c5c1a06f3ef86e97afb856fb364 (curl-8_19_0)