CVE-2026-52845 Caddyserver CVE debrief

Who should care

Administrators and users of Caddy server platform, especially those using PHP/FastCGI applications behind Caddy, should be aware of this vulnerability. The vulnerability's high severity score of 8.1 indicates a significant risk, and users should take immediate action to update to version 2.11.4 or apply necessary mitigations.

Technical summary

The vulnerability lies in the forward_auth feature of Caddy, which deletes client-supplied identity headers before copying trusted values from the auth gateway. However, Caddy's normalization of HTTP headers into CGI variables for php_fastcgi allows a client to exploit this by sending an underscore alias. This enables a remote client to inject or override identity/group headers trusted by PHP/FastCGI applications. The vulnerability is characterized by a CVSS score of 8.1 and a HIGH severity level.

Defensive priority

High priority should be given to updating Caddy to version 2.11.4 or later. In the meantime, defenders should monitor for suspicious activity and consider implementing compensating controls to mitigate the risk of header injection or override.

Recommended defensive actions

• Update Caddy to version 2.11.4 or later
• Monitor for suspicious activity related to header injection or override
• Implement compensating controls to mitigate the risk
• Review and adjust Caddy configurations for forward_auth and php_fastcgi
• Consider additional security measures for PHP/FastCGI applications

Evidence notes

The vulnerability is confirmed by the CVE and NVD records. The CVE record provides a detailed description of the vulnerability, while the NVD record offers additional information on the CVSS score and vector. The source item URL provides access to the CVE details.

Official resources