Identity Injection and Privilege Escalation in Caddy Server Platform
CVE-2026-30851

8.1HIGH

Key Information:

Vendor

Caddyserver

Status
Caddy
Vendor
CVE Published:
7 March 2026

What is CVE-2026-30851?

The Caddy server, an extensible platform utilizing TLS by default, presents a security vulnerability in versions 2.10.0 through 2.11.1. Specifically, the forward_auth copy_headers feature fails to strip client-supplied headers, enabling attackers to inject unauthorized identities. This could potentially result in elevated privileges for malicious users, posing significant risks to system security. The issue has been addressed and patched in version 2.11.2.

Affected Version(s)

caddy >= 2.10.0, < 2.11.2

References

https://github.com/caddyserver/caddy/security/advisories/...
x_refsource_CONFIRM
https://github.com/caddyserver/caddy/issues/6610
x_refsource_MISC
https://github.com/caddyserver/caddy/pull/6608
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.