CVE-2026-30851

Summary

Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy

Severity

medium

EPSS

0.2% (p16)

Also known as

GHSA-7r4p-vjf4-gxv4, GO-2026-4639

Published

2026-03-10

References

• https://github.com/caddyserver/caddy/security/advisories/GHSA-7r4p-vjf4-gxv4
• https://github.com/caddyserver/caddy/pull/6608
• https://github.com/caddyserver/caddy/pull/7545

Related advisories

• CVE-2026-52845 — high · Go/github.com/caddyserver/caddy/v2
• CVE-2026-52844 — high · Go/github.com/caddyserver/caddy/v2
• CVE-2026-45135 — high · Go/github.com/caddyserver/caddy/v2
• CVE-2026-52846 — medium · Go/github.com/caddyserver/caddy/v2
• GHSA-gx7w-56w6-g48x — medium · Go/github.com/caddyserver/caddy/v2
• GHSA-wwhq-w58m-w29c — medium · Go/github.com/caddyserver/caddy/v2
• CVE-2026-45692 — medium · Go/github.com/caddyserver/caddy/v2
• CVE-2026-30852 — medium · Go/github.com/caddyserver/caddy/v2

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity