Fluid Attacks Database

Description

Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation in github.com/caddyserver/caddy

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy	>=2.10.0 <2.11.2	2.11.2
go	github.com/caddyserver/caddy/v2	>=2.10.0 <2.11.2	2.11.2

Aliases

1. CVE-2026-308512. NVD-2026-308513. OSV-2026-308514. OSV-GO-2026-46395. GHSA-7r4p-vjf4-gxv46. GCVE-2026-308517. GHSA-7r4p-vjf4-gxv4

References

1. https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv42. https://github.com/caddyserver/caddy/issues/66103. https://github.com/caddyserver/caddy/pull/66084. https://github.com/caddyserver/caddy/pull/7545

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.