Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.1
Caddy Server: Identity Injection in Forward Auth
UBUNTU-CVE-2026-30851
Summary
Caddy Server's forward authentication feature fails to remove certain client-provided headers, potentially allowing attackers to pretend to be a different user and gain unauthorized access. This issue has been fixed in version 2.11.2. Update to the latest version to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | caddy | All versions | – |
| canonical | caddy | All versions | – |
Original title
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity in...
Original description
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
osv CVSS3.1
8.1
- https://ubuntu.com/security/CVE-2026-30851 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-30851 Third Party Advisory
- https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4 Third Party Advisory
- https://github.com/caddyserver/caddy/issues/6610 Third Party Advisory
- https://github.com/caddyserver/caddy/pull/6608 Third Party Advisory
- https://github.com/caddyserver/caddy/pull/7545 Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026