CVE-2026-52845

EPSS 0.2%
Veröffentlicht 23.06.2026 18:18:05
Zuletzt bearbeitet 24.06.2026 16:16:32
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellercaddyserver

≫

Produkt caddy

Version < 2.11.4

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.2%	0.1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g

https://nvd.nist.gov/vuln/detail/CVE-2026-52845

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-52845

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-52845

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-52845