CVE-2026-30851
published 2026-03-07CVE-2026-30851: Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip…
PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.25%
16.1th percentile
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | — | — |
| caddyserver | caddy | >= 2.10.0 < 2.11.2 | 2.11.2 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy_v2 | >= 2.10.0 < 2.11.2 | 2.11.2 |
| github.com | caddyserver_caddy_v2_modules_caddyhttp_reverseproxy | >= 2.10.0 < 2.11.2 | 2.11.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy
osv·2026-03-10
CVE-2026-30851 Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy
Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation in github.com/caddyserver/caddy
OSV
CVE-2026-30851: Caddy is an extensible server platform that uses TLS by default
osv·2026-03-07·CVSS 8.8
CVE-2026-30851 [HIGH] CVE-2026-30851: Caddy is an extensible server platform that uses TLS by default
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
GHSA
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
ghsa·2026-03-06
CVE-2026-30851 [HIGH] CWE-287 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
## Summary
Caddy's `forward_auth` directive with `copy_headers` generates conditional header-set operations that only fire when the upstream auth service includes the named header in its response. No delete or remove operation is generated for the original client-supplied request header with the same name.
When an auth service returns `200 OK` without one of the configured `copy_headers` headers, the client-supplied header passes through unchanged to the backend. Any requester holding a valid authentication token can inject arbitrary values for trusted identity headers, resulting in privilege escalation.
This is a regression introduced by PR #6608 in November 202
OSV
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
osv·2026-03-06
CVE-2026-30851 [HIGH] Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation
## Summary
Caddy's `forward_auth` directive with `copy_headers` generates conditional header-set operations that only fire when the upstream auth service includes the named header in its response. No delete or remove operation is generated for the original client-supplied request header with the same name.
When an auth service returns `200 OK` without one of the configured `copy_headers` headers, the client-supplied header passes through unchanged to the backend. Any requester holding a valid authentication token can inject arbitrary values for trusted identity headers, resulting in privilege escalation.
This is a regression introduced by PR #6608 in November 202
Debian
CVE-2026-30851: caddy - Caddy is an extensible server platform that uses TLS by default. From version 2....
vendor_debian·2026·CVSS 8.1
CVE-2026-30851 [HIGH] CVE-2026-30851: caddy - Caddy is an extensible server platform that uses TLS by default. From version 2....
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
Scope: local
bookworm: resolved
sid: resolved
trixie: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all]
bugzilla·2026-06-11·CVSS 8.8
CVE-2026-30851 [HIGH] CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all]
CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all]
+++ This bug was initially created as a clone of Bug #2445805 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [epel-all]
bugzilla·2026-03-09·CVSS 8.8
CVE-2026-30851 [HIGH] CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [epel-all]
CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This flaw was introduced in caddy 2.10.0. EPEL 8 and EPEL 9 have caddy 2.6.4 and thus are not affected.
Fedora is affected, but I've cloned this bug to address it there.
---
EPEL 10 is affected as it has caddy 2.10.2.
Bugzilla
CVE-2026-30851 github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy: Caddy: Privilege escalation via identity injection due to unstripped client headers
bugzilla·2026-03-07·CVSS 8.8
CVE-2026-30851 [HIGH] CVE-2026-30851 github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy: Caddy: Privilege escalation via identity injection due to unstripped client headers
CVE-2026-30851 github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy: Caddy: Privilege escalation via identity injection due to unstripped client headers
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
Wiz
CVE-2026-30851 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-30851 [HIGH] CVE-2026-30851 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30851 :
NixOS vulnerability analysis and mitigation
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
Source : NVD
## 8.8
Score
Published March 7, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
NixOS
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
caddy
github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy
Sources
NVD
Alpine 3.22, 3.23 Severity HIG
2026-03-07
Published