Login Sign Up

CVE-2026-24853

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass Caido's domain whitelist protection by injecting a malicious X-Forwarded-Host header, enabling unauthorized access to the Caido web interface. It affects all Caido instances running versions prior to 0.55.0 that have domain whitelisting enabled. Security teams using Caido for web security auditing are impacted.

💻 Affected Systems

Products:
  • Caido
Versions: All versions prior to 0.55.0
Operating Systems: All platforms running Caido
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances with domain whitelisting enabled on port 8080.

📦 What is this software?

Caido by Caido

View all CVEs affecting Caido →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative access to the Caido instance, potentially compromising the entire web security auditing infrastructure and accessing sensitive scan data.

🟠

Likely Case

Unauthorized users bypass security controls to access Caido's web interface, potentially viewing or modifying security scan configurations and results.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the Caido instance itself without lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a single HTTP header modification.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.55.0

Vendor Advisory: https://github.com/caido/caido/security/advisories/GHSA-3q5q-p8vj-8783

Restart Required: Yes

Instructions:

1. Stop the Caido service. 2. Update Caido to version 0.55.0 or later. 3. Restart the Caido service.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to Caido's port 8080 using firewall rules.

iptables -A INPUT -p tcp --dport 8080 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Reverse Proxy Configuration

all

Configure a reverse proxy to strip or validate X-Forwarded-Host headers before they reach Caido.

proxy_set_header X-Forwarded-Host "";

🧯 If You Can't Patch

  • Change Caido's default port from 8080 to a non-standard port.
  • Disable domain whitelisting feature if not required for your use case.

🔍 How to Verify

Check if Vulnerable:

Send an HTTP request to Caido's port 8080 with header 'X-Forwarded-Host: 127.0.0.1:8080' and check if access is granted despite domain restrictions.

Check Version:

caido --version

Verify Fix Applied:

After patching, repeat the vulnerable test; access should be properly denied with the malicious header.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests with X-Forwarded-Host header containing localhost or 127.0.0.1
  • Access logs showing successful connections from non-whitelisted domains

Network Indicators:

  • Unusual HTTP traffic to port 8080 with modified headers
  • Traffic patterns bypassing expected domain restrictions

SIEM Query:

source="caido_logs" AND (http_header="X-Forwarded-Host: 127.0.0.1" OR http_header="X-Forwarded-Host: localhost")

📊 Metadata

CVE ID: CVE-2026-24853
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-290
EPSS Score: 0.04% exploit probability (12.4th percentile)
Published: February 13, 2026
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24853, you might also want to check these:

CVE-2025-66570 10.0

This vulnerability in cpp-httplib allows attackers to inject HTTP headers (REMOTE_ADDR, REMOTE_PORT,...

Same vulnerability type (CWE-290)
CVE-2022-2310 10.0

CVE-2022-2310 is an authentication bypass vulnerability in Skyhigh Secure Web Gateway (SWG) that all...

Same vulnerability type (CWE-290)
CVE-2020-26276 10.0

This vulnerability allows attackers to modify trusted SAML responses in Fleet osquery manager, enabl...

Same vulnerability type (CWE-290)