JustAppSec
UNKNOWN Severity

CVE-2026-3783

Last updated Mar 11, 2026 · Published Mar 11, 2026

← Back to list

Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances. If the hostname that the first request is redirected to has information in the used .netrc file, with either of the `machine` or `default` keywords, curl would pass on the bearer token set for the first host also to the second one.

Affected products

1 listed
  • curl:curl

Mappings

CWE

CWE-522

CAPEC

None listed.

CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms

Need help?Get in touch.