Description
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.
Published: 2026-06-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to Caddy 2.11.4, the forward_auth copy_headers middleware removed a client‑supplied identity header before adding a trusted value from the authentication gateway. When the request is later forwarded to a PHP/FastCGI backend, Caddy normalizes HTTP header names into CGI variables by replacing hyphens with underscores. This transformation allows a client to send an underscore alias of an identity or group header that survives the delete step and maps to the same CGI variable. Result: a remote client can inject or sometimes override identity and group headers trusted by PHP/FastCGI applications behind Caddy. This leads to authentication bypass or privilege escalation. The issue is resolved in version 2.11.4.

Affected Systems

The flaw affects installations of Caddy Server using any version older than 2.11.4 where the forward_auth middleware or extension is enabled. These deployments typically rely on forwarded identity headers being trustworthy; when the request is routed to a PHP/FastCGI backend, the header normalization step can be manipulated. The vulnerability is specific to the caddyserver:caddy product line and applies regardless of host or domain as long as the vulnerable forward_auth configuration is in use.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity and enables remote exploitation over the network without requiring authentication. EPSS is not available and the vulnerability is not catalog, suggesting no widespread exploitation currently. The likely attack vector is an unauthenticated HTTP client sending a crafted underscore header to a Caddy instance exposing FastCGI. Because the issue relies on the PHP/FastCGI backend trusting forwarded headers, the exploitation can result in authentication or privilege escalation, posing a serious threat for any application relying on forwarded identity information.

Generated by OpenCVE AI on June 24, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Caddy to version 2.11.4 or later, where the forward_auth copy_headers bug has been fixed.
  • If an immediate upgrade is not feasible, reconfigure the forward_auth middleware to avoid propagating client‑supplied identity or group headers; only forward headers that originate from a trusted authentication gateway.
  • On the PHP/FastCGI backend, validate or sanitize the identifiers that the application receives through CGI variables, rejecting any values that appear to be spoofed or invalid.

Generated by OpenCVE AI on June 24, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f59h-q822-g45g Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Caddyserver
Caddyserver caddy
Vendors & Products Caddyserver
Caddyserver caddy

Tue, 23 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.
Title Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
Weaknesses CWE-287
CWE-290
CWE-444
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Caddyserver Caddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T12:09:47.929Z

Reserved: 2026-06-08T18:41:27.724Z

Link: CVE-2026-52845

cve-icon Vulnrichment

Updated: 2026-06-30T03:18:46.337Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-23T17:52:01Z

Links: CVE-2026-52845 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:30:14Z

Weaknesses
  • CWE-287

    Improper Authentication

  • CWE-290

    Authentication Bypass by Spoofing

  • CWE-444

    Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')