ID
VAR-202603-4755
CVE
CVE-2026-30851
DESCRIPTION
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
Trust: 1.0
sources:
NVD: CVE-2026-30851
AFFECTED PRODUCTS
| vendor: | caddyserver | model: | caddy | scope: | gte | version: | 2.10.0 | Trust: 1.0 |
| vendor: | caddyserver | model: | caddy | scope: | lt | version: | 2.11.2 | Trust: 1.0 |
sources:
NVD: CVE-2026-30851
CVSS
SEVERITY | CVSSV2 | CVSSV3 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
sources:
NVD: CVE-2026-30851 //
NVD: CVE-2026-30851
PROBLEMTYPE DATA
| problemtype: | CWE-345 | Trust: 1.0 |
| problemtype: | CWE-287 | Trust: 1.0 |
sources:
NVD: CVE-2026-30851
EXTERNAL IDS
| db: | NVD | id: | CVE-2026-30851 | Trust: 1.0 |
sources:
NVD: CVE-2026-30851
REFERENCES
| url: | https://github.com/caddyserver/caddy/security/advisories/ghsa-7r4p-vjf4-gxv4 | Trust: 1.0 |
| url: | https://github.com/caddyserver/caddy/pull/6608 | Trust: 1.0 |
| url: | https://github.com/caddyserver/caddy/issues/6610 | Trust: 1.0 |
| url: | https://github.com/caddyserver/caddy/pull/7545 | Trust: 1.0 |
sources:
NVD: CVE-2026-30851
SOURCES
| db: | NVD | id: | CVE-2026-30851 |
LAST UPDATE DATE
2026-03-26T23:21:16.181000+00:00
SOURCES UPDATE DATE
| db: | NVD | id: | CVE-2026-30851 | date: | 2026-03-11T13:06:25.083 |
SOURCES RELEASE DATE
| db: | NVD | id: | CVE-2026-30851 | date: | 2026-03-07T17:15:52.540 |