{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30851", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.341Z", "datePublished": "2026-03-07T16:28:37.097Z", "dateUpdated": "2026-03-09T18:24:49.691Z"}, "containers": {"cna": {"title": "Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation", "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "lang": "en", "description": "CWE-287: Improper Authentication", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4"}, {"name": "https://github.com/caddyserver/caddy/issues/6610", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/issues/6610"}, {"name": "https://github.com/caddyserver/caddy/pull/6608", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/pull/6608"}, {"name": "https://github.com/caddyserver/caddy/pull/7545", "tags": ["x_refsource_MISC"], "url": "https://github.com/caddyserver/caddy/pull/7545"}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"version": ">= 2.10.0, < 2.11.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:28:37.097Z"}, "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2."}], "source": {"advisory": "GHSA-7r4p-vjf4-gxv4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:58:58.176957Z", "id": "CVE-2026-30851", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:24:49.691Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30851", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T17:58:58.176957Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:58:59.189Z"}}], "cna": {"title": "Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation", "source": {"advisory": "GHSA-7r4p-vjf4-gxv4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "caddyserver", "product": "caddy", "versions": [{"status": "affected", "version": ">= 2.10.0, < 2.11.2"}]}], "references": [{"url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4", "name": "https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/caddyserver/caddy/issues/6610", "name": "https://github.com/caddyserver/caddy/issues/6610", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/caddyserver/caddy/pull/6608", "name": "https://github.com/caddyserver/caddy/pull/6608", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/caddyserver/caddy/pull/7545", "name": "https://github.com/caddyserver/caddy/pull/7545", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287: Improper Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:28:37.097Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30851", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:24:49.691Z", "dateReserved": "2026-03-05T21:27:35.341Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:28:37.097Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:caddyserver:caddy:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD3D5EC2-EC73-4F75-841D-E2A30A0410B2", "versionEndExcluding": "2.11.2", "versionStartIncluding": "2.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2."}, {"lang": "es", "value": "Caddy es una plataforma de servidor extensible que utiliza TLS por defecto. Desde la versi\u00f3n 2.10.0 hasta antes de la versi\u00f3n 2.11.2, forward_auth copy_headers no elimina los encabezados proporcionados por el cliente, permitiendo la inyecci\u00f3n de identidad y la escalada de privilegios. Este problema ha sido parcheado en la versi\u00f3n 2.11.2."}], "id": "CVE-2026-30851", "lastModified": "2026-03-11T13:06:25.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-07T17:15:52.540", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/caddyserver/caddy/issues/6610"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/caddyserver/caddy/pull/6608"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/caddyserver/caddy/pull/7545"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-345"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.10.0,2.11.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "caddy", "source": "cna", "vendor": "caddyserver"}, "product": "caddy", "vendor": "caddyserver"}], "analysis": {"en": {"generated_at": "2026-04-16T10:47:37.182402+00:00", "value": {"mitigation_remediation": ["Upgrade the Caddy server to version 2.11.2 or later to apply the patch that ensures client\u2011supplied headers are stripped.", "Verify that the forward_auth copy_headers configuration no longer forwards any identity\u2011related headers.", "Limit the use of forward_auth copy_headers to only trusted headers or remove the feature entirely if immediate upgrade is not possible.", "Audit authentication flows to confirm that no unauthorized identity injection can occur and review access controls accordingly."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Caddy server versions from 2.10.0 up to 2.11.1 are affected. Versions 2.11.2 and later include the fix.", "description_and_impact": "The vulnerability occurs in Caddy\u2019s forward_auth copy_headers functionality, which fails to drop client\u2011supplied headers. An attacker can inject identity\u2011related headers, causing the server to trust and authorize the attacker as another user. This leads to unauthorized privilege escalation on the system. The weakness aligns with authentication bypass (CWE\u2011287) and implicit trust of user data (CWE\u2011345).", "risk_and_exploitability": "This flaw has a CVSS score of 8.1, denoting high severity. The EPSS score is below 1\u202f%, indicating a very low likelihood of exploitation based on current data, and it is not listed in the CISA KEV catalog. The likely attack involves a remote client sending crafted headers to the Caddy server to manipulate the forwarded identity headers."}}}}, "created": "2026-03-09T10:04:56.316446+00:00", "updated": "2026-04-16T11:00:10.635967+00:00", "vendors": ["caddyserver", "caddyserver$PRODUCT$caddy"]}