PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9547 curl CVE debrief

A libcurl-based application performing transfers via `SCP://` or `SFTP://` and utilizing the `CURLOPT_SSH_KEYFUNCTION` callback may silently accept an untrusted server. This occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. The vulnerability allows the connection to succeed without warning, potentially leading to a man-in-the-middle attack. Developers and users of libcurl-based applications should be aware of this issue and take steps to mitigate it.

Vendor
curl
Product
Unknown
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Developers and users of libcurl-based applications that utilize the `CURLOPT_SSH_KEYFUNCTION` callback and transfer data via `SCP://` or `SFTP://` should be aware of this vulnerability and take steps to mitigate it. This includes reviewing and updating affected applications, implementing additional security measures, and monitoring for potential attacks.

Technical summary

The vulnerability occurs when a server presents a host key type that does not match the specific key type already recorded for that host in the `known_hosts` file. Instead of rejecting the mismatch, the callback mechanism fails to properly enforce the restriction, allowing the connection to succeed without warning and risking a potential man-in-the-middle attack. This issue affects libcurl-based applications using the `CURLOPT_SSH_KEYFUNCTION` callback for `SCP://` or `SFTP://` transfers.

Defensive priority

High

Recommended defensive actions

  • Review and update libcurl-based applications to ensure they properly handle host key type mismatches.
  • Implement additional security measures, such as verifying the host key type before establishing a connection.
  • Monitor for and respond to potential man-in-the-middle attacks.
  • Conduct a thorough review of affected systems and apply patches or mitigations as necessary.
  • Verify the integrity of connections using `SCP://` or `SFTP://` protocols.
  • Update documentation and training for developers and users on secure usage of libcurl.
  • Perform regular security audits to detect and address potential vulnerabilities.

Evidence notes

The CVE record was published on 2026-07-03T07:16:25.990Z and was last modified on 2026-07-07T14:52:29.503Z. The NVD entry is currently Analyzed. This information is based on the provided source corpus and may not reflect the full scope of affected systems or potential impacts. Further verification is recommended to ensure accurate understanding of this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T07:16:25.990Z and has not been modified since then. The NVD entry is currently Analyzed.