# Curl Update Addresses 25-Year-Old Security Flaw

*Published June 26, 2026*
*Source: [https://www.securityweek.com/25-year-old-vulnerability-patched-in-curl/](https://www.securityweek.com/25-year-old-vulnerability-patched-in-curl/)*

## Executive Summary

Curl has released an update addressing 18 security vulnerabilities, including a significant flaw present for 25 years. This update is crucial for the security of over 30 billion devices using curl for data transfer.

## Article

This week, the widely-used open source data transfer tool and library, curl, received a significant update that patched 18 vulnerabilities. Among these is a flaw that dates back 25 years, underscoring the ongoing challenges of maintaining robust security in long-standing software. The vulnerabilities, identified through a collaborative community effort, include four of medium severity and 14 of low severity. This update marks the highest number of Common Vulnerabilities and Exposures (CVEs) addressed in a single curl release. One of the most notable issues, tracked as CVE-2026-8932, involves mTLS connection reuse, which could potentially lead to an authentication bypass. This particular vulnerability affects applications using libcurl, not the curl command-line tool. The issue arises because libcurl might reuse an existing connection even after changes to client certificate or private key settings have occurred. Security firm Aisle utilized its AI platform to uncover multiple vulnerabilities within curl and libcurl, contributing six CVEs this year, including CVE-2026-8932. Other identified flaws involve credential confusion, double-free, use-after-free, and improper host validation. As curl is deployed on over 30 billion devices globally, including servers, smartphones, and vehicles, these vulnerabilities hold significant value for potential attackers. Despite this, there have been no public reports of these security issues being exploited in the wild.