curl fixes OAuth bearer token leak on redirects when using .netrc (CVE-2026-3783)

What happened

The curl project published a security advisory for CVE-2026-3783 describing a scenario where OAuth2 Bearer tokens can be unintentionally sent to a different hostname after an HTTP(S) redirect.

The leak can occur when curl follows a redirect and the redirected-to hostname matches entries in the user's .netrc (using either the machine or default keywords). In that case, curl could pass the bearer token set for the first host to the second host under some circumstances.

Although curl rates this issue as Severity: Medium, it is operationally important for developers and platform engineers because bearer tokens are often used in automation, CI jobs, and service-to-service API calls where redirects and shared credential files are common.

Who is impacted

• Affected versions: curl/libcurl 7.33.0 through 8.18.0 (inclusive).
• Not affected: curl/libcurl < 7.33.0 and >= 8.19.0.
• Any environment using curl or libcurl with OAuth2 bearer tokens, redirects enabled, and a .netrc file that can match the redirected hostname (including via default).

What to do now

• Upgrade to curl/libcurl 8.19.0 (recommended fix).
• If you cannot upgrade immediately, reduce exposure by avoiding the combination of Bearer tokens + redirects, and review/limit .netrc use (especially default) in automation contexts.
• Inventory where libcurl is embedded (it may be present indirectly via other software) and prioritize updates in internet-facing or CI/CD environments where tokens are high-value.

Additional Information

• Advisory states the issue is assigned CVE-2026-3783 and categorized as CWE-522: Insufficiently Protected Credentials.
• The curl project notes the fix is included in curl 8.19.0, released in coordination with publication of the advisory.