Caddyserver Caddy vulnerabilities
15 known vulnerabilities affecting caddyserver/caddy.
Total CVEs
15
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH7MEDIUM6LOW1
Vulnerabilities
Page 1 of 1
CVE-2026-30851HIGHCVSS 8.8≥ 2.10.0, < 2.11.2v>= 2.10.0, < 2.11.22026-03-07
CVE-2026-30851 [HIGH] CWE-287 CVE-2026-30851: Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before versi
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
cvelistv5nvd
CVE-2026-30852MEDIUMCVSS 5.5≥ 2.7.5, < 2.11.2v>= 2.7.5, < 2.11.22026-03-07
CVE-2026-30852 [MEDIUM] CWE-74 CVE-2026-30852: Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before versio
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then pa
cvelistv5nvd
CVE-2026-27586HIGHCVSS 8.8fixed in 2.11.12026-02-24
CVE-2026-27586 [HIGH] CWE-755 CVE-2026-27586: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallo
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signe
cvelistv5nvd
CVE-2026-27588HIGHCVSS 7.7≥ 2.10.2, < 2.11.1fixed in 2.11.12026-02-24
CVE-2026-27588 [HIGH] CWE-178 CVE-2026-27588: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HT
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attache
cvelistv5nvd
CVE-2026-27590HIGHCVSS 8.9fixed in 2.11.12026-02-24
CVE-2026-27590 [HIGH] CWE-20 CVE-2026-27590: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's Fa
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters
cvelistv5nvd
CVE-2026-27587HIGHCVSS 7.7≥ 2.10.2, < 2.11.1fixed in 2.11.12026-02-24
CVE-2026-27587 [HIGH] CWE-178 CVE-2026-27587: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HT
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any acce
cvelistv5nvd
CVE-2026-27585MEDIUMCVSS 6.9fixed in 2.11.12026-02-24
CVE-2026-27585 [MEDIUM] CWE-20 CVE-2026-27585: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path s
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
cvelistv5nvd
CVE-2026-27589MEDIUMCVSS 6.9fixed in 2.11.12026-02-24
CVE-2026-27589 [MEDIUM] CWE-352 CVE-2026-27589: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-
cvelistv5nvd
CVE-2023-50463MEDIUMCVSS 6.5≤ 0.6.02023-12-10
CVE-2023-50463 [MEDIUM] CWE-290 CVE-2023-50463: The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
nvd
CVE-2023-44487HIGHCVSS 7.5KEVPoCfixed in 2.7.52023-10-10
CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
nvd
CVE-2022-28923MEDIUMCVSS 6.1PoCv2.4.62023-02-06
CVE-2022-28923 [MEDIUM] CWE-601 CVE-2022-28923: Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to r
Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.
nvdosv
CVE-2022-34037HIGHCVSS 7.5v2.5.12022-07-22
CVE-2022-34037 [HIGH] CWE-125 CVE-2022-34037: An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrator's bad configuration containing a malformed request
nvd
CVE-2022-29718MEDIUMCVSS 6.1≥ 2.4.0, < 2.5.02022-06-02
CVE-2022-29718 [MEDIUM] CWE-601 CVE-2022-29718: Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attack
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
nvd
CVE-2018-21246CRITICALCVSS 9.8fixed in 0.10.32020-06-15
CVE-2018-21246 [CRITICAL] CWE-287 CVE-2018-21246: Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypa
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
nvd
CVE-2018-19148LOWCVSS 3.7≤ 0.11.02018-11-10
CVE-2018-19148 [LOW] CWE-200 CVE-2018-19148: Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for
Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in t
nvd