CVE-2026-52845
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk16th percentile — higher than 16% of all known CVEs
Summary
Caddy before version 2.11.4 has a vulnerability in the forward_auth copy_headers mechanism that allows a remote client to bypass identity header deletion and inject its own headers into PHP/FastCGI applications. This occurs because Caddy normalizes HTTP headers into CGI variables by replacing hyphens with underscores, enabling the attacker to use an underscore alias.
Risk Assessment
The organization is at risk of identity spoofing or privilege escalation in PHP/FastCGI applications, potentially leading to unauthorized access to data or administrative functions.
Recommendation
Immediately update Caddy to version 2.11.4 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.

