Windows users who depend on the ubiquitous curl command-line tool for proxy-authenticated web requests need to apply an urgent update. Microsoft’s security response center disclosed this week that a flaw in libcurl—the library powering curl—can cause the tool and any application embedding it to leak old proxy passwords. Assigned CVE-2026-9079, the vulnerability affects libcurl versions 8.8.0 through 8.20.0, and it creates a credential exposure risk that’s especially dangerous in corporate networks that rely on authenticated forward proxies.

The disclosure, published on the Microsoft Security Response Center (MSRC) portal, formalizes a bug that was quietly patched upstream by the curl project in late June 2026. If you run Windows and have ever typed curl into a terminal behind a corporate proxy, this advisory should move to the top of your to-do list.

The Stale Credential Leak Explained

At its core, the bug is a credentials caching mishap. libcurl keeps an internal map of proxy authentication credentials keyed by the proxy host. When you set a proxy password—usually via the --proxy-user command-line flag, an environment variable like HTTPS_PROXY, or a .curlrc configuration—libcurl stores that password and reuses it for subsequent connections to the same proxy. This avoids prompting for a password on every request and speeds up repeated operations.

The trouble starts when the password changes. Under a specific sequence of internal operations, libcurl fails to invalidate the stale entry in its credential cache. The next time a new connection is opened to that proxy, the library may send the old password instead of the new one. If that old password is still valid—say, because a password rotation policy hasn’t auto-expired the old credential yet—the proxy accepts it, and the transaction proceeds normally. The user sees no error; the script gets its data. But the interaction has now leaked a supposedly retired secret onto the wire, potentially into the hands of anyone monitoring proxy traffic or, worse, an adversary who has compromised the proxy itself.

The vulnerability impacts all operating systems where libcurl is present, but Windows is especially exposed for two reasons. Microsoft ships curl as an inbox tool since Windows 10 version 1803, and countless enterprise applications and scripting environments (PowerShell, command-line scripts, development tools) rely on it. Also, Windows networks frequently authenticate through Microsoft-backed proxies like those in Active Directory environments, where password changes are routine.

Who Is Affected and What’s at Stake

The blast radius cuts across several user communities.

Home Users and Enthusiasts

Even casual Windows users might trip over this bug. If you’ve ever configured curl to use a proxy—perhaps following a tutorial to route downloads through a filtering service—and later updated your proxy password, any subsequent use of curl could inadvertently resend the old password. While home users are admittedly less likely to have dedicated authenticated proxies, the risk is not zero. More importantly, tools that embed libcurl, such as Git for Windows (which relies on libcurl for HTTPS transport), can inherit the flaw and trigger the same leak during routine operations like git clone through a proxy.

IT Administrators and Enterprise Networks

This is where the damage potential is highest. In corporate settings, authenticated HTTP proxies are the standard way to enforce web filtering, content inspection, and egress controls. Service accounts, automated scripts, and user workstations often authenticate to these proxies using credentials that are rotated according to security policy. A script that runs daily to fetch inventory data, for instance, might have its proxy password updated via a configuration management tool—but if the script’s underlying libcurl keeps using the old password for hours or days, every request becomes a credential leak.

The leaked credential is not just any password; it’s often a domain account password. An attacker who gains control of the proxy server—or who can sniff traffic between the endpoint and the proxy—could harvest these stale passwords and use them to move laterally, access email, or escalate privileges. Even if the proxy is trusted, logging systems may inadvertently store these passwords in clear text, creating a long-lived exposure that contradicts security best practices.

Developers and Software Vendors

Applications that use libcurl for network operations—everything from custom installers to background update agents—need to be recompiled with a patched version of the library. Merely updating the system-level curl.exe on Windows won’t fix bundled copies inside third-party software. Developers must check their build dependencies and issue patches to customers. Software supply chains that distribute binaries with a vulnerable libcurl now carry a known weakness.

How We Got Here: Timeline and Origin

The vulnerability was introduced in libcurl 8.8.0, released in March 2025, as part of a refactor of the internal credential store. The goal was to improve performance when handling multiple proxy authentications simultaneously, but a logic error left the old password accessible in the cache even after a user-supplied update to the proxy-user configuration. The bug was not caught during code review or testing because the scenario—a proxy password change occurring while libcurl is actively holding onto the old one—required a specific, though not uncommon, ordering of operations.

In April 2026, a security researcher reported the behavior to the curl maintainers through the project’s responsible disclosure process. The curl team confirmed the flaw and began developing a fix. By late June 2026, libcurl version 8.21.0 was released with a patch that clears the stale credential cache entry when a new proxy user or password is supplied. The changelog entry reads simply: “Fixed stale proxy credentials being used when the user updates the password.” Shortly after, Microsoft’s MSRC assigned CVE-2026-9079 to the issue and published an advisory, given the widespread use of curl on Windows. The advisory notes that the vulnerability has not been observed in active exploitation at the time of disclosure, but the potential impact is significant enough to warrant immediate attention.

The fix is already available for Windows through the standard update channels. Microsoft typically bundles security updates for its inbox tools into cumulative updates or dedicated security-only patches. Users who keep Windows Update enabled will receive the patched curl.exe automatically, likely as part of the July 2026 Patch Tuesday release. For those who manage updates manually, the MSRC entry provides detection instructions and download links.

What to Do Now: Detection, Mitigation, and Patch

Follow these steps to assess your exposure and apply the remedy.

Check Your Current curl Version

Open a command prompt or PowerShell and run:

curl --version

The first line will show the version number, such as curl 8.15.0 (Windows) libcurl/8.15.0. If the version lies between 8.8.0 and 8.20.0 inclusive, you are vulnerable. If you see version 8.21.0 or later, you are safe. If the version is older than 8.8.0, you are not affected by this specific CVE, but you should still update for other security fixes.

Apply the Windows Update

If you’re running a supported version of Windows, the simplest fix is to install the latest security update via Windows Update. Go to Settings > Windows Update > Check for updates. Look for an update that mentions curl or libcurl, or one that applies the patch for CVE-2026-9079. For managed enterprise environments, use your existing patch management solution—WSUS, Microsoft Endpoint Configuration Manager, or third-party tools—to push the update to all endpoints that may use curl.

Manual Update for Standalone Scripts or Air-Gapped Systems

If you cannot update Windows immediately, or if you use a portable version of curl that is not tied to the OS, download the latest release from the official curl website (https://curl.se/download.html) and replace the existing binary. Ensure that the new curl.exe is placed in a folder listed in your PATH environment variable ahead of any vulnerable version. For air-gapped systems, transfer the binary via secure USB or internal file server after scanning it for integrity.

Update Third-Party Applications That Embed libcurl

This step is often overlooked. Tools like Git for Windows (which embeds libcurl), Miniconda, Node.js’s npm (under certain install scenarios), and numerous developer utilities ship their own copies of the library. Check the version of libcurl these applications report. For example, Git for Windows allows you to run git version and see the bundled curl version via git --exec-path and inspecting the curl.exe inside; alternatively, run curl --version from the Git Bash environment. If the version is in the affected range, update the application to the latest version that includes the fixed libcurl, or contact the vendor.

Review Scripts and Automation for Hardcoded Credentials

While the vulnerability doesn’t involve hardcoded passwords directly, it’s a good moment to audit your scripts. Avoid placing proxy credentials in plain text inside scripts. Use environment variables or credential managers instead, and ensure that after a password rotation, any running processes that use curl are restarted to pick up the new credentials and purge the old cache.

Monitor for Anomalous Proxy Authentication Attempts

If your proxy servers log authentication events, search for failed login attempts using outdated passwords that come from known IP addresses or hosts. A sudden spike could indicate that a credential has been leaked and someone is trying to reuse it. Work with your identity team to rotate any passwords that might have been exposed during the vulnerability window.

Looking Ahead: Lessons and Next Steps

The libcurl stale credential bug is a textbook example of why even foundational network tools demand rigorous security maintenance. Because curl is so deeply embedded in modern computing—on Windows alone, it powers countless scripts, installers, and background processes—a single stale password can become a pivot point for attackers. The short fix window between upstream patch and Microsoft’s advisory means most Windows users who update promptly will never see an exploit. However, enterprise admins should use this event as a push to review how proxy credentials are managed and rotated across their fleets.

For developers, the incident reinforces the importance of monitoring upstream libraries for security patches. Tools like dependency scanners (e.g., GitHub Dependabot, OWASP Dependency-Check) can alert you when a component like libcurl receives a fix. Integrating these scans into continuous integration pipelines ensures that vulnerable versions never reach production.

Looking forward, keep an eye on the upcoming July 2026 Patch Tuesday release notes. If you hear of any post-patch exploitation attempts or discover ancillary problems—such as credential leakages through other tools that bundle libcurl—report them to the MSRC and the curl maintainers. Responsible disclosure keeps the ecosystem safe.

Windows users have a straightforward playbook: check your curl version now, update Windows, and ask your vendors about any software that might be dragging along an older libcurl. A few minutes of attention today can stop a stale password from becoming a fresh breach.