PatchSiren cyber security CVE debrief
CVE-2026-12064 Haxx CVE debrief
CVE-2026-12064 is a high-severity vulnerability in Curl, a popular command-line tool for transferring data. The vulnerability occurs when a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), leading to a disconnect between the tool layer and libcurl. This causes the tool layer to incorrectly infer the URL scheme, bypassing critical SSH security options. The vulnerability affects users of Curl, particularly those using versions between 7.81.0 and 8.21.0. The CVE record was published on 2026-07-03T07:16:24.217Z and has not been modified since then.
- Vendor
- Haxx
- Product
- Curl
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-03
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-03
- Advisory updated
- 2026-07-07
Who should care
Users of Curl, particularly those using versions between 7.81.0 and 8.21.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of Curl and being cautious when using schemeless URLs with `--proto-default` sftp (or scp).
Technical summary
The vulnerability occurs when a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp). This leads to a disconnect between the tool layer and libcurl, causing the tool layer to incorrectly infer the URL scheme. As a result, critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS are silently omitted, allowing curl to connect to an unverified SSH remote host without throwing an error. The vulnerability affects Curl versions between 7.81.0 and 8.21.0.
Defensive priority
High
Recommended defensive actions
- Update to a patched version of Curl
- Be cautious when using schemeless URLs with `--proto-default` sftp (or scp)
- Verify SSH host public key SHA256 and known hosts
- Monitor for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-03T07:16:24.217Z and has not been modified since then. The NVD entry is currently Analyzed. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide additional details about the vulnerability, and the NVD entry does not offer further information. Users should review the official advisory for more information.
Official resources
-
CVE-2026-12064 CVE record
CVE.org
-
CVE-2026-12064 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Patch, Vendor Advisory
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Vendor Advisory
-
Mitigation or vendor reference
2499f714-1537-4658-8207-48ae4bb9eae9 - Exploit, Issue Tracking, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T07:16:24.217Z and has not been modified since then.