PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12064 Haxx CVE debrief

CVE-2026-12064 is a high-severity vulnerability in Curl, a popular command-line tool for transferring data. The vulnerability occurs when a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp), leading to a disconnect between the tool layer and libcurl. This causes the tool layer to incorrectly infer the URL scheme, bypassing critical SSH security options. The vulnerability affects users of Curl, particularly those using versions between 7.81.0 and 8.21.0. The CVE record was published on 2026-07-03T07:16:24.217Z and has not been modified since then.

Vendor
Haxx
Product
Curl
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-03
Original CVE updated
2026-07-07
Advisory published
2026-07-03
Advisory updated
2026-07-07

Who should care

Users of Curl, particularly those using versions between 7.81.0 and 8.21.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of Curl and being cautious when using schemeless URLs with `--proto-default` sftp (or scp).

Technical summary

The vulnerability occurs when a user invokes curl using a schemeless URL combined with `--proto-default` sftp (or scp). This leads to a disconnect between the tool layer and libcurl, causing the tool layer to incorrectly infer the URL scheme. As a result, critical SSH security options like CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 and CURLOPT_SSH_KNOWNHOSTS are silently omitted, allowing curl to connect to an unverified SSH remote host without throwing an error. The vulnerability affects Curl versions between 7.81.0 and 8.21.0.

Defensive priority

High

Recommended defensive actions

  • Update to a patched version of Curl
  • Be cautious when using schemeless URLs with `--proto-default` sftp (or scp)
  • Verify SSH host public key SHA256 and known hosts
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-03T07:16:24.217Z and has not been modified since then. The NVD entry is currently Analyzed. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide additional details about the vulnerability, and the NVD entry does not offer further information. Users should review the official advisory for more information.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-03T07:16:24.217Z and has not been modified since then.