Security: caddyserver/caddy
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Connection created for the wrong upstream for forward_auth + reverse_proxyGHSA-6365-7ppr-5r92 published
Jul 10, 2026 by mholtModerate -
Windows `file_server` path authorization bypass via encoded backslashGHSA-qrp7-cvwr-j2c6 published
Jun 8, 2026 by mholtHigh -
FastCGI header normalization bypass in `forward_auth copy_headers`GHSA-f59h-q822-g45g published
Jun 8, 2026 by mholtHigh -
Three vulnerabilities in Caddy v2.11.3: rewrite placeholder re-expansion, unbounded body buffer DoS, and fileHidden case-sensitivity bypassGHSA-j8px-rmrx-76h9 published
Jul 10, 2026 by mholtModerate -
stripHTML template function bypass in github.com/caddyserver/caddyGHSA-vcc4-2c75-vc9v published
Jun 8, 2026 by mholtModerate -
Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP FilesGHSA-m675-2p33-xv9g published
May 13, 2026 by mholtHigh -
Caddy CVE-2026-30852 Fix BypassGHSA-wwhq-w58m-w29c published
May 13, 2026 by mholtHigh -
Remote Admin Authorization Bypass in `/config` API via Array Index NormalizationGHSA-x5w9-xh9r-mvfc published
May 13, 2026 by mholtModerate -
Remote Admin Authorization Bypass on PKI Endpoints via Prefix-Based Path MatchingGHSA-gx7w-56w6-g48x published
May 13, 2026 by mholtModerate -
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege EscalationGHSA-7r4p-vjf4-gxv4 published
Mar 6, 2026 by mholtHigh