CVE-2026-30851
📋 TL;DR
Caddy servers running versions 2.10.0 through 2.11.1 with forward_auth middleware configured are vulnerable to identity injection and privilege escalation. The vulnerability allows attackers to inject client-supplied headers that should have been stripped, potentially bypassing authentication. This affects administrators using Caddy's forward_auth feature for authentication delegation.
💻 Affected Systems
- Caddy
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could escalate privileges to administrative levels, gain unauthorized access to protected resources, or impersonate legitimate users across the entire application.
Likely Case
Authentication bypass allowing unauthorized access to protected endpoints or services behind the Caddy proxy.
If Mitigated
Limited impact with proper network segmentation and additional authentication layers, though authentication bypass remains possible.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP headers to endpoints protected by forward_auth. No authentication needed to attempt exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.2
Vendor Advisory: https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4
Restart Required: Yes
Instructions:
1. Backup current Caddy configuration. 2. Update Caddy to version 2.11.2 or later using your package manager or download from official sources. 3. Restart Caddy service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable forward_auth copy_headers
allRemove or disable the copy_headers directive in forward_auth middleware configuration
Edit Caddyfile to remove 'copy_headers' from forward_auth blocks
Use alternative authentication
allReplace forward_auth with different authentication mechanisms
Configure basicauth, jwt, or other Caddy authentication modules
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to forward_auth protected endpoints
- Add additional authentication layers before the vulnerable Caddy instance
🔍 How to Verify
Check if Vulnerable:
Check Caddy version and forward_auth configuration. If version is between 2.10.0-2.11.1 and forward_auth with copy_headers is configured, the system is vulnerable.Check Version:
caddy versionVerify Fix Applied:
Verify Caddy version is 2.11.2 or later and test authentication bypass attempts fail.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns
- Requests with unexpected headers to forward_auth endpoints
- Failed authentication attempts from unexpected sources
Network Indicators:
- HTTP requests with crafted headers targeting forward_auth endpoints
- Unusual traffic patterns to authentication endpoints
SIEM Query:
source="caddy" AND (http_header="*" OR auth_failure="true")