curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.CreditsMuhamad Arga Reksapati (HackerOne: nobcoder)Stefan EissingReferenceshttps://curl.se/docs/CVE-2026-3784.jsonhttps://curl.se/docs/CVE-2026-3784.htmlhttps://hackerone.com/reports/3584903
