{"id":29662,"date":"2026-04-29T08:27:01","date_gmt":"2026-04-29T06:27:01","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=29662"},"modified":"2026-04-29T11:06:35","modified_gmt":"2026-04-29T09:06:35","slug":"curl-8-20-0","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2026\/04\/29\/curl-8-20-0\/","title":{"rendered":"curl 8.20.0"},"content":{"rendered":"\n<p>You always find the new curl releases <a href=\"https:\/\/curl.se\/\">on the curl site<\/a>!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Release presentation<\/h2>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"curl 8.20.0 with Daniel Stenberg\" width=\"474\" height=\"267\" src=\"https:\/\/www.youtube.com\/embed\/LlNZWEsZeL4?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Numbers<\/h2>\n\n\n\n<p class=\"has-text-align-center\">the 274th release<br>8 changes<br>49 days (total: 10,761)<br>282 bugfixes (total: 13,922)<br>521 commits (total: 38,545)<br>0 new public libcurl function (total: 100)<br>0 new curl_easy_setopt() option (total: 308)<br>0 new curl command line option (total: 273)<br>73 contributors, 45 new (total: 3,664)<br>28 authors, 12 new (total: 1,463)<br>8 security fixes (total: 188)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Security<\/h2>\n\n\n\n<p>As <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/04\/22\/high-quality-chaos\/\" data-type=\"post\" data-id=\"29657\">mentioned elsewhere<\/a>, the security reporting volume has been intense lately. We publish <em>eight<\/em> new curl vulnerabilities this time.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-7168.html\">CVE-2026-7168: cross-proxy Digest auth state leak<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-7009.html\">CVE-2026-7009: OCSP stapling bypass with Apple SecTrust<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-6429.html\">CVE-2026-6429: netrc credential leak with reused proxy connection<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-6276.html\">CVE-2026-6276: stale custom cookie host causes cookie leak<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-6253.html\">CVE-2026-6253: proxy credentials leak over redirect-to proxy<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-5773.html\">CVE-2026-5773: wrong reuse of SMB connection<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-5545.html\">CVE-2026-5545: wrong reuse of HTTP Negotiate connection<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/curl.se\/docs\/CVE-2026-4873.html\">CVE-2026-4873: connection reuse ignores TLS requirement<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Changes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>now uses a thread pool and queue for resolving<\/li>\n\n\n\n<li>NTLM is disabled by default<\/li>\n\n\n\n<li>dropped support for CMake 3.17 and older<\/li>\n\n\n\n<li>dropped support for &lt; c-ares 1.16.0<\/li>\n\n\n\n<li>SMB is disabled by default<\/li>\n\n\n\n<li>added CURLMNWC_CLEAR_ALL for all network changes<\/li>\n\n\n\n<li><a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/03\/21\/bye-bye-rtmp\/\" data-type=\"post\" data-id=\"29275\">dropped RTMP support<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Bugfixes<\/h2>\n\n\n\n<p>The official count says over 260 bugfixes were merged in this 49 day cycle. See the <a href=\"https:\/\/curl.se\/ch\/\">changelog<\/a> for all the details.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Pending Removals<\/h2>\n\n\n\n<p>Planned upcoming removals include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>local crypto implementations<\/li>\n\n\n\n<li>NTLM<\/li>\n\n\n\n<li>SMB<\/li>\n\n\n\n<li>TLS-SRP support<\/li>\n<\/ul>\n\n\n\n<p>If you are concerned about any of these, speak up on the curl-library ASAP.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Next release<\/h2>\n\n\n\n<p>Unless we messed up this one and need to do a patch release, the pending next release is scheduled to happen on June 24.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You always find the new curl releases on the curl site! Release presentation Numbers the 274th release8 changes49 days (total: 10,761)282 bugfixes (total: 13,922)521 commits (total: 38,545)0 new public libcurl function (total: 100)0 new curl_easy_setopt() option (total: 308)0 new curl command line option (total: 273)73 contributors, 45 new (total: 3,664)28 authors, 12 new (total: 1,463)8 &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/04\/29\/curl-8-20-0\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl 8.20.0<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":29692,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,95],"class_list":["post-29662","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-release"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/29662","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=29662"}],"version-history":[{"count":20,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/29662\/revisions"}],"predecessor-version":[{"id":29710,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/29662\/revisions\/29710"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/29692"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=29662"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=29662"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=29662"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}