SB2026042758 - Multiple vulnerabilities in Caddy

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Insufficient verification of data authenticity (CVE-ID: CVE-2026-30851)

The vulnerability allows a remote user to inject trusted identity headers and escalate privileges.

The vulnerability exists due to insufficient verification of data authenticity in the forward_auth copy_headers handling in modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go when processing requests for which the upstream auth service returns 200 OK without one of the configured copy_headers headers. A remote user can send a specially crafted request with forged identity headers to inject trusted identity headers and escalate privileges.

Exploitation requires a valid authentication token, and affects deployments where the auth service validates credentials without returning the configured identity headers in its response.

2) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-30852)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements in the vars_regexp matcher when processing user-controlled placeholder values. A remote attacker can send a specially crafted request header to disclose sensitive information.

Exploitation requires a configuration in which vars_regexp matches user-controlled input and the captured value is reflected in the response.

Remediation

Install update from vendor's website.

References

• https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4
• https://github.com/advisories/GHSA-7r4p-vjf4-gxv4
• https://github.com/caddyserver/caddy/security/advisories/GHSA-m2w3-8f23-hxxf