The vulnerability is present only if OpenSSL is the designated TLS backend. OCSP stapling is not enabled by default by libcurl, it needs to be explicitly enabled by the application to get used. https://curl.se/docs/CVE-2020-8286.html CREATE(Triage):(User=admin) [CVE-2020-8286|https://nvd.nist.gov/vuln/detail/CVE-2020-8286]