Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

NVD
NVDadded 2026/03/07 5:15 p.m.3 views

CVE-2026-30851

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forwardauth copyheaders does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2...

8.8CVSS0.00249EPSS
Exploits1References4
Vulnrichment
Vulnrichmentadded 2026/03/07 4:28 p.m.2 views

CVE-2026-30851 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forwardauth copyheaders does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2...

8.1CVSS5.7AI score0.00249EPSS
Exploits1References4
Cvelist
Cvelistadded 2026/03/07 4:28 p.m.31 views

CVE-2026-30851 Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forwardauth copyheaders does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2...

8.1CVSS0.00249EPSS
Exploits1References4
Debian CVE
Debian CVEadded 2026/03/07 4:28 p.m.5 views

CVE-2026-30851

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forwardauth copyheaders does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2...

8.8CVSS7.7AI score0.00249EPSS
Exploits1
CVE
CVEadded 2026/03/07 4:28 p.m.8 views

CVE-2026-30851

CVE-2026-30851 (Caddy) affects Caddy server up to version 2.11.2. The issue is in forward_auth copy_headers, which fails to strip client-supplied headers, enabling identity injection and privilege escalation. This vulnerability is grounded in the component/behavior described across multiple sourc...

8.8CVSS5.7AI score0.00249EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blogadded 2026/03/06 11:38 p.m.10 views

Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

Summary Caddy's forwardauth directive with copyheaders generates conditional header-set operations that only fire when the upstream auth service includes the named header in its response. No delete or remove operation is generated for the original client-supplied request header with the same name...

8.8CVSS5.9AI score0.00249EPSS
Exploits1References6Affected Software1
Positive Technologies
Positive Technologiesadded 2026/03/06 12:0 a.m.7 views

PT-2026-23796

Name of the Vulnerable Software and Affected Versions Caddy versions 2.10.0 through 2.11.1 Description Caddy is a server platform that utilizes TLS by default. A flaw exists in the forward auth functionality where the copy headers option fails to remove headers provided by the client. This can le...

9.9CVSS5.8AI score0.22162EPSS
Exploits68References144
Rows per page
Query Builder