diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index fe647dbafd4de..1a270a1c32cea 100644
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1900,14 +1900,11 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 		case CURLOPT_SSLKEYTYPE:
 		case CURLOPT_SSL_CIPHER_LIST:
 		case CURLOPT_USERAGENT:
-		case CURLOPT_USERPWD:
 		case CURLOPT_COOKIELIST:
 		case CURLOPT_FTP_ALTERNATIVE_TO_USER:
 		case CURLOPT_SSH_HOST_PUBLIC_KEY_MD5:
-		case CURLOPT_PASSWORD:
 		case CURLOPT_PROXYPASSWORD:
 		case CURLOPT_PROXYUSERNAME:
-		case CURLOPT_USERNAME:
 		case CURLOPT_NOPROXY:
 		case CURLOPT_SOCKS5_GSSAPI_SERVICE:
 		case CURLOPT_MAIL_FROM:
@@ -2021,6 +2018,12 @@ static zend_result _php_curl_setopt(php_curl *ch, zend_long option, zval *zvalue
 		case CURLOPT_HSTS:
 #endif
 		case CURLOPT_KRBLEVEL:
+		// Authorization header would be implictly set
+		// with an empty string thus we explictly set the option
+		// to null to avoid this unwarranted side effect
+		case CURLOPT_USERPWD:
+		case CURLOPT_USERNAME:
+		case CURLOPT_PASSWORD:
 		{
 			if (Z_ISNULL_P(zvalue)) {
 				error = curl_easy_setopt(ch->cp, option, NULL);
diff --git a/ext/curl/tests/gh18458.phpt b/ext/curl/tests/gh18458.phpt
new file mode 100644
index 0000000000000..702737ac369ba
--- /dev/null
+++ b/ext/curl/tests/gh18458.phpt
@@ -0,0 +1,33 @@
+--TEST--
+GH-18458 (authorization header is set despite CURLOPT_USERPWD set to null)
+--EXTENSIONS--
+curl
+--SKIPIF--
+<?php
+include 'skipif-nocaddy.inc';
+?>
+--FILE--
+<?php
+
+$ch = curl_init("https://localhost/userpwd");
+curl_setopt($ch, CURLOPT_USERPWD, null);
+curl_setopt($ch, CURLOPT_VERBOSE, true);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
+$response = curl_exec($ch);
+var_dump(str_contains($response, "authorization"));
+
+$ch = curl_init("https://localhost/username");
+curl_setopt($ch, CURLOPT_USERNAME, null);
+curl_setopt($ch, CURLOPT_PASSWORD, null);
+curl_setopt($ch, CURLOPT_VERBOSE, true);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_STDERR, fopen("php://stdout", "w"));
+$response = curl_exec($ch);
+var_dump(str_contains($response, "authorization"));
+?>
+--EXPECTF--
+%A
+bool(false)
+%A
+bool(false)