A critical security vulnerability in curl and libcurl, tracked as CVE-2026-1965, could allow attackers to hijack authenticated HTTP connections when Negotiate authentication is used with connection reuse. The curl project has released version 8.19.0 to plug the flaw, and Windows users — who depend on curl in countless command-line tools, PowerShell scripts, and enterprise applications — are urged to upgrade immediately.

The bug lives in the library’s implementation of HTTP Negotiate/SPNEGO authentication, a mechanism heavily used in Windows-centric environments to handle Kerberos and NTLM challenges. If your application reuses a persistent HTTP connection to send requests that switch between different user credentials, curl may inadvertently reuse a previously established security context. The result: a subsequent request could be dispatched with the identity of a previous, possibly more privileged user, bypassing access controls.

What Is CVE-2026-1965 and Why Does It Matter?

At its core, the vulnerability arises from how curl caches and associates Negotiate authentication contexts with connections. When a client authenticates to a server using SPNEGO, the server issues a 401 response with a WWW-Authenticate: Negotiate header. The client responds with a token, typically a Kerberos service ticket or an NTLM message. Once the handshake completes, the connection is effectively “bound” to that security context. For efficiency, curl reuses connections for multiple HTTP requests via HTTP/1.1 keep‑alive or HTTP/2 multiplexing.

Problem: if the same connection is reused for a request that specifies a different user (through, for example, a different --user argument or a separate authentication callback), curl might not properly invalidate the stored Negotiate state. Instead, it may resend the old token, causing the server to process the new request under the original user’s identity. In an enterprise setting where a single server hosts resources for many users, this identity confusion can lead to unauthorized data access, privilege escalation, or information leakage.

The advisory explicitly warns: “If your application uses curl or libcurl with HTTP Negotiate/SPNEGO authentication against the same host using multiple credentials or long-lived reusable connections, upgrade to curl/libcurl 8.19.0.” The terse excerpt tells us the fix is not a configuration tweak but a code-level patch.

Technical Deep‑Dive: How Negotiate Authentication and Connection Reuse Collide

HTTP Negotiate is a Microsoft‑defined authentication scheme (RFC 4559) that uses SPNEGO to negotiate a sub‑mechanism — Kerberos or NTLM. On Windows, when a service (like IIS with Integrated Windows Authentication) receives a request, it sends a WWW-Authenticate: Negotiate challenge. The client then obtains a security token—typically via SSPI calls that leverage the current Windows logon session or explicit credentials.

Curl’s libcurl abstracts this through its authentication modules. When you issue a command like:

curl --negotiate -u : --url https://internal.example.com/api/data

the library performs the SPNEGO dance, caches the resulting security context, and attaches it to the underlying curl_easy handle or to the connection cache.

Here’s where CVE-2026-1965 bites. In connection reuse scenarios, a single TCP connection (or HTTP/2 stream) may be reused by multiple logical requests. If a request with credential set A is followed by a request with credential set B on the same connection, libcurl might – due to the bug – not purge the old security context. Instead, it sends request B but with the token derived from credential A. The server, which trusts the token, processes request B as user A.

Attack surface: any multi‑user system where a script or service iterates over different identities against the same endpoint could inadvertently cross wires. Developer workstations that run CI pipelines, administrative scripts that test different accounts, or even browsers that embed libcurl (though rare) could be impacted. In the worst case, an unprivileged user could retrieve data belonging to a domain administrator if both identities access the same server in quick succession via a shared curl handle.

Why Windows Users Are Uniquely Exposed

Curl isn’t a stranger to Windows — it’s a first‑class citizen. Since Windows 10 version 1803, Microsoft ships curl.exe and the underlying libcurl.dll in the system image. PowerShell’s Invoke-WebRequest and Invoke-RestMethod use libcurl under the hood in many configurations. Azure CLI, Git for Windows, and a plethora of developer tools (Node.js native add‑ons, Python’s pip, Rust’s cargo) link against libcurl. The library is so embedded that an outdated copy can live in dozens of directories, each a potential vulnerability.

Enterprise environments that run IIS with Integrated Windows Authentication and use client‑side scripts that loop through multiple accounts are precisely the target profile. Consider a daily inventory script that queries an internal web portal: version 1 uses a service account, version 2 uses a user’s individual account, both over a persistent connection kept alive by an unpatched curl. Identity confusion is not just theoretical.

Moreover, the Windows‑shipped curl is updated through Windows Update, but the lag between upstream curl releases and a Microsoft‑delivered fix can be weeks. Many power users install a separate, newer curl via winget, choco, or manual download. This split creates a management headache for IT admins: which binaries are safe? Which are not?

How to Check Your curl Version and Upgrade on Windows

First, determine what you have. Open a Command Prompt or PowerShell and run:

curl --version

If the output shows a version earlier than 8.19.0, you need to act. Note that the system32 curl might print curl 8.9.0 (or whatever Windows bundled), while a separately installed one might show something different. Check all installations:

  • System path: where curl to list all executables.
  • Tools that bundle their own: git\mingw64\bin\curl.exe, Program Files\Azure CLI\, etc.

To upgrade the standalone curl:
- Official binaries: visit curl.se and download the 8.19.0 installer or zip.
- Via winget: winget install --id=cURL.cURL -v 8.19.0 (once the package is updated).
- Via Chocolatey: choco upgrade curl (check that 8.19.0 is available).

For the Windows system‑provided curl, you can’t replace it manually — Microsoft must release a servicing update. Keep an eye on the Microsoft Security Response Center and Patch Tuesday releases. In the interim, you can enforce use of a newer, sideloaded curl by adjusting your PATH or invoking it explicitly.

Applications that dynamically link to libcurl.dll (like a custom .NET P/Invoke wrapper or an Electron app) may need a developer‑issued update. Users should contact vendors for confirmation. The libcurl.dll file version can be inspected by right‑clicking the file, selecting Properties, and viewing the Details tab.

Mitigation Steps If You Can’t Upgrade Immediately

If an immediate upgrade is impossible, apply workarounds. The core issue hinges on connection reuse, so disabling it removes the attack vector.

  • For command‑line curl: append --no-keepalive to each command, or use -H "Connection: close". Better yet, avoid --negotiate with multiple -u switches on the same command line. Perform sequential requests with separate curl invocations to guarantee fresh connections.
  • For libcurl‑based applications: developers should set CURLOPT_FORBID_REUSE to 1L before performing a request. Alternatively, call curl_easy_cleanup() and curl_easy_init() between requests that use different credentials.
  • Also, scrutinize scripts that iterate over user accounts. Insert a short sleep or explicitly close handles between identities.

These mitigations degrade performance, but they are a temporary stopgap until the patch is applied.

The Bigger Picture: Curl’s Security Footprint in Windows Ecosystem

Curl is scaffolding for modern Windows. Microsoft has embraced it as the de facto transfer tool, even migrating PowerShell to use it via the -CustomMethod parameter. Yet the component is often invisible to end‑users and patch‑management tools that focus on GUI‑first products. This incident underscores the importance of tracking third‑party and open‑source components that ship inside the OS or as dependencies.

CVE-2026-1965 is not the first authentication‑related flaw in curl, nor will it be the last. Past vulnerabilities like CVE‑2022‑22576 (Credential leak via HTTP redirect) and CVE‑2023‑23914 (HSTS bypass) remind us that the library processes untrusted input under the hood, and its security posture directly impacts every developer machine and server that runs Windows.

Windows users would be wise to adopt package managers like winget and Chocolatey to stay ahead. Regularly auditing installed software with winget list or Get‑Package can surface multiple curl instances. Enterprises should deploy software inventory tools that can detect libcurl versions inside packaged applications.

What to Expect Next

The curl project itself does not distribute Windows‑specific advisories. Microsoft will likely issue a guidance article or include an updated libcurl in a cumulative update for Windows 10 and 11. Third‑party vendors who ship curl will push their own patches. Watch for communication from Microsoft’s MSRC, and subscribe to the curl mailing list for any further clarifications.

Because the vulnerability requires a very specific pattern — Negotiate auth, connection reuse, and multiple credentials — widespread exploitation in the wild may be limited. But targeted attacks against enterprise automation scripts are entirely plausible. The low complexity of the attack (no exotic conditions) means that once a proof‑of‑concept appears, exploitation could ramp up.

What You Should Do Today

  1. Identify every curl instance on your Windows machine — use where curl and scan installed applications.
  2. Update standalone curl to 8.19.0 from the official site or via a package manager.
  3. For the Windows system curl, monitor Windows Update and consider enforcing a newer side‑by‑side installation.
  4. Apply workarounds--no-keepalive or CURLOPT_FORBID_REUSE — if patching can’t happen immediately.
  5. Reach out to vendors of any software that embeds libcurl and request a security update.

Curl 8.19.0 closes a dangerous loophole in one of the internet’s most fundamental tools. On Windows, where identity is the keys to the kingdom, leaving that door open even a crack is an open invitation to trouble.