CVE-2026-7009 - Vulnerability Details

When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Curl	Curl

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Curl	Curl

References

Link	Providers
https://curl.se/docs/CVE-2026-7009.html
https://curl.se/docs/CVE-2026-7009.json
https://hackerone.com/reports/3694390

History

Wed, 13 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Curl Curl curl
Weaknesses		CWE-200 CWE-284
Vendors & Products		Curl Curl curl

Wed, 13 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		When curl is told to use the Certificate Status Request TLS extension, often referred to as OCSP stapling, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.
Title		OCSP stapling bypass with Apple SecTrust
References		https://curl.se/docs/CVE-2026-7009.html https://curl.se/docs/CVE-2026-7009.json https://hackerone.com/reports/3694390

MITRE

Status: PUBLISHED

Assigner: curl

Published: 2026-05-13T08:28:53.697Z

Updated: 2026-05-13T09:05:48.665Z

Reserved: 2026-04-25T08:37:24.989Z

Link: CVE-2026-7009

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T10:30:16Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object