CVE-2026-24853
Unknown Unknown - Not Provided
Header Injection Bypass in Caido Web Security Toolkit Before

Publication date: 2026-02-13

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-24
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24853
EUVD
EUVD-2026-7360
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
caido caido to 0.55.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Caido, a web security auditing toolkit, in versions prior to 0.55.0. Caido is designed to block non-whitelisted domains from accessing the service through port 8080 and normally shows a message "Host/IP is not allowed to connect to Caido" on all endpoints when such access is attempted.

However, this protection can be bypassed by injecting a specially crafted HTTP header, specifically the "X-Forwarded-Host: 127.0.0.1:8080" header. This allows an attacker to circumvent the domain whitelist restriction and potentially access Caido through the restricted port.

The vulnerability was fixed in version 0.55.0 of Caido.

Impact Analysis

Exploiting this vulnerability allows an attacker to bypass domain whitelist restrictions and access Caido through port 8080 by injecting a malicious header.

Given the CVSS v3.1 base score of 8.1 with high impact on confidentiality, integrity, and availability, this could lead to serious security consequences such as unauthorized access, data compromise, or disruption of services.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Caido to version 0.55.0 or later, where the issue with bypassing domain restrictions via the X-Forwarded-Host header is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24853. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart