Curl, the widely-used open source tool and library for data transfer, has recently been updated to address 18 security vulnerabilities, including a flaw that has persisted for 25 years. This release marks a record for the highest number of CVEs patched in a single update for curl. Among the vulnerabilities, one of significant concern, tracked as CVE-2026-8932, pertains to mTLS connection reuse and poses a risk of authentication bypass. This flaw specifically affects applications using libcurl, not the curl command-line tool.
The issue arises from libcurl's ability to reuse existing connections even after changes to client certificate or private key settings. This vulnerability, alongside others such as credential confusion and improper host validation, was identified by the AI platform of the vulnerability management firm Aisle. The discovery followed an initial bug report by Anthropic’s Mythos in early May, which spurred further investigation into curl's security.
Curl plays a crucial role in data transfer across over 30 billion devices globally, including servers, smartphones, and even cars, making the implications of these vulnerabilities potentially vast. Despite this, there have been no documented cases of these vulnerabilities being exploited in the wild. Security researchers continue to scrutinize curl due to its widespread use and the complexity of remaining bugs, which involve intricate protocol paths and forgotten code areas.