CVE-2026-52845 | Caddy is an extensible server platform that uses TLS by defa… | CVSS 8.1 HIGH

Description

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.

Metadata

CVE ID: CVE-2026-52845
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-08 18:41 UTC
Published: 2026-06-23 17:52 UTC
Last updated: 2026-06-23 17:52 UTC
Primary CWE: CWE-287
CWE-287: Improper Authentication
Vendor / Product: caddyserver / caddy
Sources: cve.org · NVD

Severity & Metrics

8.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
caddyserver	caddy	—	< 2.11.4

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287: Improper Authentication
CWE-290	cna	CWE-290: Authentication Bypass by Spoofing
CWE-444	cna	CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.1	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References (1)

https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g