CVE-2026-30851 affects the Caddy web server, an extensible platform that defaults to TLS for secure communications. The vulnerability exists in versions from 2.10.0 up to but excluding 2.11.2 within the forward_auth module, specifically in the copy_headers functionality. This feature is intended to forward authentication headers from an upstream identity provider to downstream services. However, the implementation fails to properly sanitize or strip headers supplied by clients before forwarding them. As a result, an attacker can craft requests with malicious headers that impersonate legitimate user identities, effectively injecting unauthorized identity information. This improper authentication (CWE-287) combined with insufficient validation of client-supplied data (CWE-345) allows privilege escalation, potentially granting attackers access to protected resources or administrative functions. The vulnerability is remotely exploitable over the network with low complexity and does not require user interaction. Although no known exploits are currently reported in the wild, the high CVSS score of 8.1 reflects the significant risk posed by this flaw. The issue was addressed and patched in Caddy version 2.11.2 by ensuring that client-supplied headers are properly stripped before forwarding, restoring the integrity of authentication mechanisms.

The vulnerability can lead to unauthorized access to sensitive information and administrative capabilities by allowing attackers to impersonate authenticated users. This compromises confidentiality and integrity of systems relying on Caddy's forward_auth module for authentication. Organizations using affected versions may face data breaches, unauthorized configuration changes, and potential lateral movement within their networks. Since Caddy is often used as a reverse proxy or web server in modern cloud-native and microservices environments, exploitation could undermine the security of multiple downstream services. The lack of availability impact means services remain operational, but attackers gain stealthy access. The ease of exploitation over the network with low privileges increases the threat level, especially in environments where Caddy servers are internet-facing or exposed to untrusted networks.

The primary mitigation is to upgrade all affected Caddy server instances to version 2.11.2 or later, where the vulnerability is patched. Until upgrade is possible, organizations should disable or avoid using the forward_auth copy_headers feature to prevent header injection. Implement strict validation and sanitization of all incoming authentication headers at the network perimeter or within upstream identity providers. Employ network segmentation and access controls to limit exposure of Caddy servers to untrusted clients. Monitor logs for suspicious authentication header anomalies or unexpected privilege escalations. Conduct thorough security reviews of authentication flows involving Caddy to ensure no other header manipulation vulnerabilities exist. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block malformed or unauthorized authentication headers targeting Caddy servers.