CVE Catalog

CVE-2026-52845

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

Caddy before version 2.11.4 has a vulnerability in the forward_auth copy_headers mechanism that allows a remote client to bypass identity header deletion and inject its own headers into PHP/FastCGI applications. This occurs because Caddy normalizes HTTP headers into CGI variables by replacing hyphens with underscores, enabling the attacker to use an underscore alias.

Risk Assessment

The organization is at risk of identity spoofing or privilege escalation in PHP/FastCGI applications, potentially leading to unauthorized access to data or administrative functions.

Recommendation

Immediately update Caddy to version 2.11.4 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS