CVE-2026-50019: yt-dlp: File Downloader cookie leak with curl
If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest’s.
This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is present in yt-dlp released since 2023.09.24.
References
- github.com/advisories/GHSA-f7j3-774f-rfhj
- github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2026.06.09.230517
- github.com/yt-dlp/yt-dlp/commit/2726572520238356bcf64aba2040228648b44c82
- github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09
- github.com/yt-dlp/yt-dlp/security/advisories/GHSA-f7j3-774f-rfhj
- nvd.nist.gov/vuln/detail/CVE-2026-50019
Code Behaviors & Features
Detect and mitigate CVE-2026-50019 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →