Prior to Caddy 2.11.4, the forward_auth copy_headers middleware removed a client‑supplied identity header before adding a trusted value from the authentication gateway. When the request is later forwarded to a PHP/FastCGI backend, Caddy normalizes HTTP header names into CGI variables by replacing hyphens with underscores. This transformation allows a client to send an underscore alias of an identity or group header that survives the delete step and maps to the same CGI variable. Result: a remote client can inject or sometimes override identity and group headers trusted by PHP/FastCGI applications behind Caddy. This leads to authentication bypass or privilege escalation. The issue is resolved in version 2.11.4.

The flaw affects installations of Caddy Server using any version older than 2.11.4 where the forward_auth middleware or extension is enabled. These deployments typically rely on forwarded identity headers being trustworthy; when the request is routed to a PHP/FastCGI backend, the header normalization step can be manipulated. The vulnerability is specific to the caddyserver:caddy product line and applies regardless of host or domain as long as the vulnerable forward_auth configuration is in use.

The CVSS score of 8.1 indicates high severity and enables remote exploitation over the network without requiring authentication. EPSS is not available and the vulnerability is not catalog, suggesting no widespread exploitation currently. The likely attack vector is an unauthenticated HTTP client sending a crafted underscore header to a Caddy instance exposing FastCGI. Because the issue relies on the PHP/FastCGI backend trusting forwarded headers, the exploitation can result in authentication or privilege escalation, posing a serious threat for any application relying on forwarded identity information.