CVE-2026-30851 is an authentication bypass vulnerability classified under CWE-287 (Improper Authentication) and CWE-345 (Insufficient Verification of Data Authenticity) affecting the Caddy web server platform. Caddy is a modern, extensible server that uses TLS by default and supports a forward_auth module for delegating authentication decisions. In versions 2.10.0 through 2.11.1, the forward_auth feature's copy_headers option does not properly strip headers supplied by clients before forwarding them to the authentication backend. This oversight allows an attacker to inject arbitrary identity headers, effectively impersonating other users or elevating privileges within the application or service relying on Caddy for authentication. The vulnerability does not require user interaction but does require network access and some privileges (PR:L in CVSS). The flaw compromises confidentiality and integrity by enabling unauthorized access and privilege escalation without affecting availability. The vulnerability was publicly disclosed on March 7, 2026, and has been addressed in Caddy version 2.11.2. No known exploits are currently reported in the wild, but the high CVSS score of 8.1 indicates a serious risk if exploited. The issue stems from improper validation and sanitization of client-supplied headers, a critical failure in authentication logic that can undermine trust boundaries in web applications using Caddy as a reverse proxy or authentication gateway.

The vulnerability allows attackers to bypass authentication mechanisms by injecting forged identity headers, leading to unauthorized access and privilege escalation. This can result in exposure of sensitive data, unauthorized administrative actions, and potential compromise of backend services relying on Caddy for authentication. Organizations using affected versions of Caddy in production environments—especially those handling sensitive or regulated data—face significant risks including data breaches, compliance violations, and operational disruptions. Since Caddy is often used as a reverse proxy or authentication gateway, exploitation could provide attackers a foothold to pivot deeper into internal networks. The lack of user interaction and low attack complexity increase the likelihood of exploitation in exposed environments. Although no active exploits are reported, the vulnerability’s nature and high severity score necessitate urgent remediation to prevent potential attacks.

1. Upgrade all affected Caddy servers to version 2.11.2 or later, where the vulnerability is patched. 2. Review and audit configurations of the forward_auth module, specifically the copy_headers option, to ensure no client-supplied headers are trusted or forwarded without validation. 3. Implement strict header sanitization and validation on all authentication-related headers at the proxy or application level. 4. Employ network segmentation and access controls to limit exposure of Caddy servers to untrusted networks. 5. Monitor logs for unusual authentication header patterns or unexpected privilege escalations. 6. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious header injection attempts. 7. Educate development and operations teams about secure header handling practices to prevent similar issues in custom extensions or configurations. 8. Conduct penetration testing focused on authentication bypass scenarios to validate the effectiveness of mitigations.