CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-30851

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 5.2%

CVSS Severity

CVSS v3 Score 8.1

References

https://github.com/caddyserver/caddy/issues/6610
https://github.com/caddyserver/caddy/pull/6608
https://github.com/caddyserver/caddy/pull/7545
https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4

Products affected by CVE-2026-30851

Caddyserver » Caddy » Version: 2.10.0

cpe:2.3:a:caddyserver:caddy:2.10.0
Caddyserver » Caddy » Version: 2.10.1

cpe:2.3:a:caddyserver:caddy:2.10.1
Caddyserver » Caddy » Version: 2.10.2

cpe:2.3:a:caddyserver:caddy:2.10.2
Caddyserver » Caddy » Version: 2.11.0

cpe:2.3:a:caddyserver:caddy:2.11.0
Caddyserver » Caddy » Version: 2.11.1

cpe:2.3:a:caddyserver:caddy:2.11.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-30851

Products

Pricing

Contact Us