Description
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
Published: 2026-03-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability occurs in Caddy’s forward_auth copy_headers functionality, which fails to drop client‑supplied headers. An attacker can inject identity‑related headers, causing the server to trust and authorize the attacker as another user. This leads to unauthorized privilege escalation on the system. The weakness aligns with authentication bypass (CWE‑287) and implicit trust of user data (CWE‑345).

Affected Systems

Caddy server versions from 2.10.0 up to 2.11.1 are affected. Versions 2.11.2 and later include the fix.

Risk and Exploitability

This flaw has a CVSS score of 8.1, denoting high severity. The EPSS score is below 1 %, indicating a very low likelihood of exploitation based on current data, and it is not listed in the CISA KEV catalog. The likely attack involves a remote client sending crafted headers to the Caddy server to manipulate the forwarded identity headers.

Generated by OpenCVE AI on April 16, 2026 at 10:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Caddy server to version 2.11.2 or later to apply the patch that ensures client‑supplied headers are stripped.
  • Verify that the forward_auth copy_headers configuration no longer forwards any identity‑related headers.
  • Limit the use of forward_auth copy_headers to only trusted headers or remove the feature entirely if immediate upgrade is not possible.
  • Audit authentication flows to confirm that no unauthorized identity injection can occur and review access controls accordingly.

Generated by OpenCVE AI on April 16, 2026 at 10:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7r4p-vjf4-gxv4 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
History

Wed, 11 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Sat, 07 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
Title Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
Weaknesses CWE-287
CWE-345
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T18:24:49.691Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30851

cve-icon Vulnrichment

Updated: 2026-03-09T17:58:59.189Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T17:15:52.540

Modified: 2026-03-11T13:06:25.083

Link: CVE-2026-30851

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses