ID

VAR-202606-5321


CVE

CVE-2026-52845


TITLE

Light Code Labs of Caddy Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-021270

DESCRIPTION

Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4. 2.11.4 has been fixed.- All information handled by the software may be leaked to external parties. - All information handled by the software may be overwritten. - The software will not stop

Trust: 1.62

sources: NVD: CVE-2026-52845 // JVNDB: JVNDB-2026-021270

AFFECTED PRODUCTS

vendor:caddyservermodel:caddyscope:ltversion:2.11.4

Trust: 1.0

vendor:light codemodel:caddyscope: - version: -

Trust: 0.8

vendor:light codemodel:caddyscope:eqversion:2.11.4

Trust: 0.8

vendor:light codemodel:caddyscope:eqversion: -

Trust: 0.8

sources: JVNDB: JVNDB-2026-021270 // NVD: CVE-2026-52845

CVSS

SEVERITY

CVSSV2

CVSSV3

security-advisories@github.com: CVE-2026-52845
value: HIGH

Trust: 1.0

0b0ca135-0b70-47e7-9f44-1890c2a1c46c: CVE-2026-52845
value: HIGH

Trust: 1.0

OTHER: JVNDB-2026-021270
value: HIGH

Trust: 0.8

security-advisories@github.com: CVE-2026-52845
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 5.2
version: 3.1

Trust: 2.0

OTHER: JVNDB-2026-021270
baseSeverity: HIGH
baseScore: 8.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2026-021270 // NVD: CVE-2026-52845 // NVD: CVE-2026-52845

PROBLEMTYPE DATA

problemtype:CWE-444

Trust: 1.0

problemtype:CWE-287

Trust: 1.0

problemtype:CWE-290

Trust: 1.0

problemtype:Inappropriate authentication (CWE-287) [ others ]

Trust: 0.8

problemtype: Avoid authentication by spoofing (CWE-290) [ others ]

Trust: 0.8

problemtype:HTTP Request Smuggling (CWE-444) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2026-021270 // NVD: CVE-2026-52845

PATCH

title:FastCGI header normalization bypass in `forward_auth copy_headers`  Advisory  caddyserver/caddy  GitHuburl:https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g

Trust: 0.8

sources: JVNDB: JVNDB-2026-021270

EXTERNAL IDS

db:NVDid:CVE-2026-52845

Trust: 2.6

db:JVNDBid:JVNDB-2026-021270

Trust: 0.8

sources: JVNDB: JVNDB-2026-021270 // NVD: CVE-2026-52845

REFERENCES

url:https://access.redhat.com/security/cve/cve-2026-52845

Trust: 1.0

url:https://github.com/caddyserver/caddy/security/advisories/ghsa-f59h-q822-g45g

Trust: 1.0

url:https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52845.json

Trust: 1.0

url:https://bugzilla.redhat.com/show_bug.cgi?id=2491907

Trust: 1.0

url:https://nvd.nist.gov/vuln/detail/cve-2026-52845

Trust: 0.8

sources: JVNDB: JVNDB-2026-021270 // NVD: CVE-2026-52845

SOURCES

db:JVNDBid:JVNDB-2026-021270
db:NVDid:CVE-2026-52845

LAST UPDATE DATE

2026-06-30T23:34:13.137000+00:00


SOURCES UPDATE DATE

db:JVNDBid:JVNDB-2026-021270date:2026-06-29T02:13:00
db:NVDid:CVE-2026-52845date:2026-06-30T03:20:49.410

SOURCES RELEASE DATE

db:JVNDBid:JVNDB-2026-021270date:2026-06-29T00:00:00
db:NVDid:CVE-2026-52845date:2026-06-23T18:18:05.267