CVE-2026-52845
Undergoing Analysis Undergoing Analysis - In Progress
Authentication Header Injection in Caddy Server

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-52845
EUVD
EUVD-2026-38558
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
caddyserver caddy to 2.11.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows a remote client to inject or override identity or group headers trusted by PHP/FastCGI applications, leading to unauthorized user impersonation or privilege escalation.

Such unauthorized access and manipulation of identity information can result in breaches of confidentiality and integrity of sensitive data.

Consequently, this can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Executive Summary

CVE-2026-52845 is a vulnerability in Caddy's forward_auth module with copy_headers functionality. It allows a remote client to bypass header normalization and inject or override identity or group headers that PHP/FastCGI applications trust.

The issue arises because forward_auth deletes client-supplied headers before copying trusted values from the authentication gateway. However, when the request passes through php_fastcgi, Caddy normalizes HTTP headers by replacing hyphens (-) with underscores (_).

This normalization creates a collision where a client can send a header with an underscore (e.g., Remote_Groups) that survives the deletion step but becomes equivalent to the trusted header with a hyphen (e.g., Remote-Groups) after normalization. This allows the client to inject or override trusted identity or group headers.

Impact Analysis

This vulnerability can lead to a remote client injecting or overriding identity or group headers that backend PHP/FastCGI applications trust. This can result in unauthorized user impersonation or privilege escalation.

The impacts include loss of confidentiality and integrity, as attackers can manipulate identity information to gain unauthorized access or escalate privileges within the affected applications.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests for unusual or unexpected headers that use underscores instead of hyphens, such as `Remote_Groups`, which may bypass the forward_auth header deletion step.

You can inspect incoming HTTP headers to identify if any client-supplied headers with underscores are present that could be normalized to trusted headers by PHP/FastCGI.

Suggested commands include using tools like curl or tcpdump to capture and analyze HTTP headers, for example:

  • Using curl to send a test request with an underscore header: `curl -H "Remote_Groups: admin" http://your-caddy-server/`
  • Using tcpdump to capture HTTP traffic: `tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep Remote_Groups`

Additionally, reviewing server logs or application logs for unexpected identity or group header values can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Caddy to version 2.11.4 or later, where this vulnerability is fixed.

Until the upgrade can be applied, consider disabling or restricting the use of the `forward_auth` module's `copy_headers` functionality for identity headers when used with php_fastcgi or FastCGI.

Also, review and sanitize incoming HTTP headers to prevent clients from sending headers with underscores that could be normalized into trusted headers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52845. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart