CVE-2026-30851HIGH 8.8EPSS p15.9%

CVE-2026-30851CVE-2026-30851

Description

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.25% probability of exploitation · percentile 15.9% · 2026-06-18T12:00:27Z
Published2026-03-07
Last modified2026-03-11

Underlying weaknesses· 2

CWE-287CWE-345

References

  1. https://github.com/caddyserver/caddy/issues/6610
  2. https://github.com/caddyserver/caddy/pull/6608
  3. https://github.com/caddyserver/caddy/pull/7545
  4. https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4

2

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live
WeaknessInsufficient Verification of Data Authenticitycwe-3450%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-27586
CVE
CVE-2026-27588
CVE
CVE-2026-27587
CVE
CVE-2026-33433
CVE
CVE-2026-39858
CVE
CVE-2026-27590
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.