Summary
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
References
Related vulnerabilities
All Supply chain →- HIGHGHSA-CW4Q-GQG5-G38H
OpenClaw: Discord allowFrom could bind to mutable display names
- HIGHGHSA-8C59-HR4W-QG69
OpenClaw: Zalo allowFrom could bind to mutable display names
- CRITICALGHSA-GFJ5-979R-92PW
@acastellon/auth: Authentication bypass via spoofable headers in validateToken()
- HIGHGHSA-8CCJ-P46R-JWQQ
PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication
- CRITICALGHSA-F38V-77QJ-H4JQ
praisonai-platform 0.1.4 still boots on the hardcoded JWT secret dev-secret-change-me (default-open production guard)
- HIGHGHSA-4QQ2-2J2X-X62C
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation