Windows News
{
"title": "CVE-2026-7168 libcurl Digest Proxy Leak: Windows Admin Fix Checklist",
"content": "The curl project dropped a medium-severity bomb on April 29, 2026, disclosing CVE-2026-7168, a libcurl vulnerability that leaks Digest authentication credentials when a connection handle is reused across different HTTP proxies. Windows administrators who manage servers and workstations with libcurl-based tools—which is nearly everyone—need to act fast.
CVE-2026-7168 strikes at the heart of proxy authentication in one of the internet’s most ubiquitous transfer libraries. If your Windows environment uses curl, Git for Windows, Visual Studio Code, or any of the countless utilities that wrap libcurl, you’re likely exposed. The fix requires more than just a single update; it demands a systematic audit of every libcurl instance humming on your systems.
What Is CVE-2026-7168?
When an application uses libcurl to talk to an HTTP proxy with Digest authentication, the library stores state information—nonces, realms, and counters—inside the easy handle. In normal operation, that handle is tied to one proxy. But if an application reuses the same handle for a second proxy, perhaps after a URL redirect or explicit configuration change, libcurl versions 7.85.0 through 8.10.0 fail to clear the old Digest state. The result: the second proxy receives the authentication material meant for the first, potentially allowing a malicious proxy to capture the cleartext-equivalent credentials.
The vulnerability was discovered by a security researcher and reported through the project’s HackerOne program. The curl advisory rates it medium with a CVSS score of 5.9. That might not sound alarming, but for environments where proxy credentials grant access to sensitive internal resources, a leak can lead to lateral movement.
Technical Breakdown
Digest authentication uses a challenge-response to avoid sending passwords in the clear. The server sends a nonce, the client computes a response using a hash of username:realm:password plus additional fresh data. If the client reuses the handle with a different proxy, it might send the nonce and response from the previous session, which the new proxy can use to replay. Worse, if the attacker controls the second proxy, they can harvest the username and the secret-based response, then brute-force offline or replay to the original proxy.
The vulnerable code path in lib/httpproxy.c involves the Curlhttpproxydigestreauth function missing a cleanup call when proxy URL changes. The commit that introduced the issue was a refactoring in curl 7.85.0 aimed at improving proxy protocol negotiation. The fix, committed on April 28, 2026, adds an explicit reset of the Digest state in the proxyswitch handler and is included in curl 8.11.0.
| Version Range | Status |
|---|---|
| libcurl < 7.85.0 | Not affected |
| 7.85.0 – 8.10.0 | Vulnerable |
| 8.11.0 and above | Patched |
Why Windows Admins Should Care
Windows isn’t exempt from the curl ecosystem. Microsoft ships curl.exe with Windows 10/11 and Windows Server starting around version 1803. Moreover, dozens of development and administrative tools bundle libcurl: Git for Windows includes it for HTTPS transport; Visual Studio Code uses it for extensions and updates; Docker Desktop's CLI; Vagrant; and many custom C/C++ applications. Even Windows Subsystem for Linux (WSL) distributions often come with their own libcurl, which can be used in cross-platform workflows. If you manage Windows endpoints that use any of these tools through authenticated proxies, you are potentially affected.
Real-World Attack Scenario
Imagine a corporate network where all outbound traffic must pass through a corporate proxy server using Digest authentication. An attacker on the same network deploys a rogue proxy and tricks a victim’s application into sending requests there—via DNS spoofing, malicious PAC files, or social engineering. If the application reuses a libcurl handle that was previously authenticated to the legitimate proxy, the Digest state leaks to the rogue proxy. The attacker captures the nonce and response, then replays it to the real proxy to gain authenticated access to internal resources. From there, they pivot into sensitive services.
How to Check if You’re Affected
Run this PowerShell command on a representative Windows host to inventory libcurl DLLs:
powershell
Get-ChildItem -Path C:\,D:\\ -Filter \"libcurl.dll\" -Recurse -ErrorAction SilentlyContinue |
Select-Object FullName, @{Name=\"FileVersion\";Expression={$.VersionInfo.FileVersion}}
The output will list every copy and its version. Compare the version to 8.11.0.0 or higher. Note that some applications embed libcurl and may report a different versioning scheme. For example, Git for Windows ships libcurl 8.7.0 within its mingw64 binaries. You may need to update Git itself to get the patched libcurl.
Alternatively, use the Sysinternals tool Sigcheck to dump version info in bulk:
cmd
sigcheck -nobanner /accepteula -e -c C:\\ > curlinventory.csv
Open the CSV and filter for libcurl to see all instances.
Windows Admin Fix Checklist
1. Immediate Patching of System curl
If you have curl installed via winget or Chocolatey, upgrade:
cmd
winget upgrade --id cURL.cURL
Or with Chocolatey:
cmd
choco upgrade curl -y
Otherwise, download the official binary from https://curl.se/windows/. Replace C:\\Windows\\System32\\curl.exe if a system copy exists (but System32 is protected; better to place the updated curl in a directory earlier in PATH). Ensure the patched curl.exe appears first by checking with where curl.
2. Update Application-Specific Bundles
For each application you found in the inventory:
- Git for Windows: Update to version 2.47.0 or later, which ships libcurl 8.11.0. Download from https://git-scm.com/download/win. Verify with
git --version. - Visual Studio Code: Install the latest stable release (version 1.97+). VS Code uses its own libcurl; auto-updates usually deliver the fix. Check Help > About to see the curl version in the \"Libraries\" section.
- Docker Desktop: Update to version 4.37.0 or newer. The CLI uses a bundled libcurl for some operations. Run
docker versionand compare the client version. - Python pycurl: If you use pycurl, upgrade the package:
pip install --upgrade pycurland verify the underlying libcurl. On Windows, pycurl often relies on a system libcurl, so ensure the system installation is patched first. - Custom or Legacy Applications: Contact vendors or recompile with the latest libcurl. For in-house tools, download the libcurl 8.11.0 development package from https://curl.se/download.html and link against it.
3. Workarounds If Patching Is Delayed
- Avoid handle reuse: If you control application code, destroy and recreate curl easy handles between proxy configurations. Use
curleasycleanupandcurleasyinitinstead of reusing. Note thatcurleasyreset()does not reliably clear Digest state in vulnerable versions. - Disable Digest authentication: If your proxies don’t require Digest, force Basic or NTLM (with TLS) by setting
--proxy-anyauthorCURLOPTPROXYAUTHtoCURLAUTHBASICorCURLAUTH_NTLM. This stops Digest state leakage but reduces security if Basic is used without encryption. - Network segmentation: Temporarily isolate systems that must use Digest proxies behind a firewall that allows only specific proxy destinations. This limits exposure if credentials leak to a rogue proxy.
4. Test Proxy Authentication After Patching
After updating, confirm that authenticated proxy connections still work:
cmd
curl -x http://proxy.example.com:8080 --proxy-digest -U user:password https://www.example.com
Replace with your actual proxy and credentials. You should see a 200 response and no authentication errors. Also test with a tool like Git:
bash
git clone https://github.com/example/repo.git --config http.proxy=http://proxy.example.com:8080
Ensure the clone succeeds without asking for credentials repeatedly.
5. Monitor for Credential Leakage
While the vulnerability is being patched, set up alerts in your SIEM for unusual proxy authentication attempts. Look for:
- Authentication failures from a user to a proxy they don’t normally use.
- Proxy requests to unknown or external hosts with a Digest response that matches an internal realm.
- Multiple proxy authentication attempts from a single source IP to different proxy servers in a short time.
6. Automating Detection and Updates
Consider deploying a PowerShell script via Group Policy or SCCM to audit and update libcurl on all managed Windows systems. A sample script might:
- Search for libcurl DLLs and report versions.
- Compare versions to the safe list.
- Attempt to update trusted package managers (winget, Choco).
- Generate a compliance report.
Long-Term Proxy Hygiene
CVE-2026-7168 is a reminder that proxy credentials are as sensitive as any password. Adopt these practices:
- Rotate proxy credentials regularly. If a leak occurs, the window of misuse shrinks.
- Use unique credentials per service. Don’t let a single proxy account grant access to everything.
- Move to token-based or certificate-based proxy authentication where possible. Digest is aging; consider modern replacements like OAuth2 tokens over TLS.
- Audit proxy configurations monthly. Know which applications use which proxies and with what authentication.
The Response Timeline
- April 28, 2026: curl maintainer Daniel Stenberg commits the fix to the git repository.
- April 29, 2026: CVE-2026-7168 reserved, advisory published, and curl 8.11.0 released.
- May 1, 2026: NIST NVD entry added; vulnerability scanners begin detecting the flaw.
- May 5, 2026: Major Linux distributions push updated libcurl packages. Windows users must rely on application vendors and their own patch cycles.
Conclusion
CVE-2026-7168 won’t bring down your network, but it’s a persistent threat that rewards attackers who control a proxy—a common man-in-the-middle scenario in corporate networks. Grab the patch, audit your libcurl footprint, and impose stricter proxy hygiene. Staying ahead of these library-level bugs is a continuous job, but the checklist