GHSA-xq9p-gxg6-f7q6
A vulnerability in libcurl affects applications using SCP or SFTP transfers with the CURLOPT_SSH_KEYFUNCTION callback. When a server presents a host key type different from the one recorded in the known_hosts file, the callback may incorrectly accept the server without warning. This failure to enforce host key type restrictions can allow silent acceptance of untrusted servers, increasing the risk of man-in-the-middle attacks.
AI Analysis
Technical Summary
The vulnerability occurs in libcurl-based applications performing SCP or SFTP transfers that use the CURLOPT_SSH_KEYFUNCTION callback. If the server presents a host key type that does not match the recorded key type in the known_hosts file, the callback mechanism does not reject the connection as expected. Instead, it allows the connection to succeed silently, bypassing the intended host key verification. This flaw undermines the security of SSH host key validation and may enable man-in-the-middle attacks by accepting untrusted servers without alerting the client.
Potential Impact
Affected applications may unknowingly connect to untrusted or malicious servers due to improper host key type verification. This can lead to man-in-the-middle attacks where an attacker intercepts or alters data during SCP or SFTP transfers. The vulnerability compromises the trust model of SSH host key validation in libcurl when using the specific callback.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid relying solely on the CURLOPT_SSH_KEYFUNCTION callback for host key verification or implement additional verification mechanisms outside of libcurl. Monitoring vendor channels for updates is recommended.
GHSA-xq9p-gxg6-f7q6
Description
A vulnerability in libcurl affects applications using SCP or SFTP transfers with the CURLOPT_SSH_KEYFUNCTION callback. When a server presents a host key type different from the one recorded in the known_hosts file, the callback may incorrectly accept the server without warning. This failure to enforce host key type restrictions can allow silent acceptance of untrusted servers, increasing the risk of man-in-the-middle attacks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability occurs in libcurl-based applications performing SCP or SFTP transfers that use the CURLOPT_SSH_KEYFUNCTION callback. If the server presents a host key type that does not match the recorded key type in the known_hosts file, the callback mechanism does not reject the connection as expected. Instead, it allows the connection to succeed silently, bypassing the intended host key verification. This flaw undermines the security of SSH host key validation and may enable man-in-the-middle attacks by accepting untrusted servers without alerting the client.
Potential Impact
Affected applications may unknowingly connect to untrusted or malicious servers due to improper host key type verification. This can lead to man-in-the-middle attacks where an attacker intercepts or alters data during SCP or SFTP transfers. The vulnerability compromises the trust model of SSH host key validation in libcurl when using the specific callback.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should avoid relying solely on the CURLOPT_SSH_KEYFUNCTION callback for host key verification or implement additional verification mechanisms outside of libcurl. Monitoring vendor channels for updates is recommended.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-xq9p-gxg6-f7q6
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-9547"]
- Ecosystems
- []
- Database Specific Severity
- null
- Cvss Version
- null
Threat ID: 6a483cb427e9c79719d81f4d
Added to database: 07/03/2026, 22:50:28 UTC
Last enriched: 07/03/2026, 23:02:24 UTC
Last updated: 07/04/2026, 00:31:12 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.