You always find the new curl releases on the curl site!
Release presentation
At 10:00 CEST (08:00 UTC) I will do my transitional live-streamed video presentation of curl 8.20.0 on my twitch channel.
Numbers
the 274th release
8 changes
49 days (total: 10,761)
282 bugfixes (total: 13,922)
521 commits (total: 38,545)
0 new public libcurl function (total: 100)
0 new curl_easy_setopt() option (total: 308)
0 new curl command line option (total: 273)
73 contributors, 45 new (total: 3,664)
28 authors, 12 new (total: 1,463)
8 security fixes (total: 188)
Security
As mentioned elsewhere, the security reporting volume has been intense lately. We publish eight new curl vulnerabilities this time.
- CVE-2026-7168: cross-proxy Digest auth state leak
- CVE-2026-7009: OCSP stapling bypass with Apple SecTrust
- CVE-2026-6429: netrc credential leak with reused proxy connection
- CVE-2026-6276: stale custom cookie host causes cookie leak
- CVE-2026-6253: proxy credentials leak over redirect-to proxy
- CVE-2026-5773: wrong reuse of SMB connection
- CVE-2026-5545: wrong reuse of HTTP Negotiate connection
- CVE-2026-4873: connection reuse ignores TLS requirement
Changes
- now uses a thread pool and queue for resolving
- NTLM is disabled by default
- dropped support for CMake 3.17 and older
- dropped support for < c-ares 1.16.0
- SMB is disabled by default
- added CURLMNWC_CLEAR_ALL for all network changes
- dropped RTMP support
Bugfixes
The official count says over 260 bugfixes were merged in this 49 day cycle. See the changelog for all the details.
Pending Removals
Planned upcoming removals include:
- local crypto implementations
- NTLM
- SMB
- TLS-SRP support
If you are concerned about any of these, speak up on the curl-library ASAP.
Next release
Unless we messed up this one and need to do a patch release, the pending next release is scheduled to happen on June 24.