CVE-2026-52845

HIGH 8.1

Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`

CVSS Score

8.1

EPSS Score

0.0%

EPSS Percentile

0th

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.

CWE	CWE-287 CWE-290 CWE-444
Vendor	caddyserver
Product	caddy
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for caddyserver caddy

Be the first to know when new high vulnerabilities affecting caddyserver caddy are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

caddyserver / caddy

< 2.11.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g