A significant security issue that has been present in curl for over 25 years has finally been addressed. The recent update fixed 18 Common Vulnerabilities and Exposures (CVEs), marking a new record for a single curl version release. Identified as CVE-2026-8932, this flaw was initially introduced in curl version 7.7, released on March 22, 2001.
Landmark Curl Update Fixes Numerous Vulnerabilities
The update was announced by Daniel Stenberg, curl’s maintainer, on June 24, 2026. This release is notable for addressing the highest number of vulnerabilities ever in curl’s history. Curl is a critical component in global technology infrastructure, running on over 30 billion devices and facilitating data transfers across various platforms.
Although users typically do not interact with curl directly, the libcurl library embedded in numerous products is where these vulnerabilities pose a significant risk. The identification of these flaws has highlighted the potential dangers lurking within the software.
AI-driven Discovery of Security Flaws
The uncovering of these vulnerabilities began on May 11, 2026, when Daniel Stenberg revealed that the Mythos AI model from Anthropic had detected a CVE in curl. This discovery led to an unprecedented number of security reports being filed for the curl project.
In total, 18 CVEs were issued with the curl 8.21.0 update. AISLE, an AI-powered security platform, was responsible for six of these discoveries, with additional contributions from various AI models, including those from Anthropic and OpenAI.
Significance and Impact of the Curl Update
The June 24 release of curl 8.21.0 addressed all identified vulnerabilities, including CVE-2026-8926 related to netrc credential handling and CVE-2026-8925 involving SASL authentication. These issues, particularly in libcurl, affect embedded products, posing challenges for users in updating systems directly.
Beyond fixing security vulnerabilities, curl 8.21.0 introduces limited new features but focuses heavily on patching existing issues. Noteworthy updates include support for named globs in file uploads and improved HTTP/3 proxy capabilities.
Security teams and developers are strongly urged to upgrade to curl 8.21.0 immediately to safeguard systems, especially those utilizing authentication mechanisms and advanced HTTP features.
