Back
Medium · CVSS 5.5Information Exposure Through Debug Information (CWE-215)

CVE-2026-3783: token leak with redirect and netrc

hackerone-reports
hackerone-reports
March 11, 2026
2
€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3583983 by spectreglobalsec

##Summary When --oauth2-bearer is used with --netrc and curl follows a redirect, the bearer token leaks to the redirect target. The netrc bypass at http.c:822 skips Curl_auth_allowed_to_host(), allowing the token through. This is an incomplete fix for CVE-2025-14524 — the Dec 2025 SASL fix patched curl_sasl.c but missed the HTTP bearer path.

This is an incomplete fix for the same vulnerability class as CVE-2025-14524. The Dec 2025 SASL bearer fix (commit 1a822275d3, PR #19933) patched lib/curl_sasl.c but left the HTTP bearer path at lib/http.c:704-714 unprotected.

Version

curl 8.10.1 (confirmed), also present in current master d9c2c64337. All versions supporting --oauth2-bearer with --netrc are affected.

The netrc bypass (lib/http.c:820-827):

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

Sign InRegister

Discussion

No comments yet. Be the first to share your thoughts.

Log in to join the discussion.

Sign In