Cyber Resilience

CVE-2026-7168

MediumPublic PoC

Published: 13 May 2026

Published
13 May 2026
Modified
14 May 2026
KEV Added
Patch
29 April 2026
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 27.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7168 is a medium-severity Authentication Bypass by Capture-replay (CWE-294) vulnerability in Haxx Curl. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wrongly pass on…

more

the `Proxy-Authorization:` header field meant for `proxyA`, to `proxyB`.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Proxy auth header leakage to unintended destination directly enables adversary-in-the-middle credential capture when an attacker influences proxy selection or handle reuse.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

haxx
curl
7.12.0 — 8.20.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-294

Allows detection of capture-replay attacks by showing the replayed logon's timestamp as the last logon.

addresses: CWE-294

Protects against replay of captured session tokens or credentials by requiring authenticated, fresh session channels.

addresses: CWE-294

Wireless link protections commonly incorporate replay protection, reducing the exploitability of capture-replay weaknesses.

addresses: CWE-294

Accurate synchronized time enables tight timestamp windows that directly limit capture-replay windows in authentication protocols.

References