Caddy Server Flaw Lets Users Impersonate Admins

A high-severity vulnerability in the Caddy web server allows any authenticated user to impersonate administrators by injecting identity headers. CVE-2026-30851 (CVSS 8.1) affects the forward_auth module's copy_headers functionality in versions 2.10.0 through 2.11.1.

The flaw was disclosed on March 7, 2026, and Caddy released version 2.11.2 with a fix the same day. Organizations using Caddy's forward authentication pattern should upgrade immediately—the attack requires only a valid user account and provides a direct path to administrator access.

How the Attack Works

Caddy's forward_auth directive proxies authentication decisions to an upstream auth service. When that service returns HTTP 200 (authenticated), Caddy can copy certain headers from the auth response to the backend request using the copy_headers configuration.

The problem: Caddy's header-set operations only fire when the upstream auth service actually includes the named header in its response. But no delete operation removes the client-supplied request header with the same name.

When an auth service returns 200 OK without including one of the configured copy_headers headers, any client-supplied header with that name passes through unchanged to the backend. An attacker holding any valid authentication token can inject arbitrary values for trusted identity headers.

Say your backend expects an X-User-Role header from the auth service. If the auth service returns 200 without that header, the attacker's forged X-User-Role: admin passes through to the backend unmodified. The backend trusts it because it came from Caddy, which is supposed to enforce authentication.

Attack Requirements

The vulnerability requires:

• A valid user account (any privilege level)
• Knowledge of the header names the backend trusts
• The auth service must sometimes omit the identity headers on successful auth responses

That third condition matters. If the auth service always returns the relevant headers on 200 responses, the conditional set operation will overwrite attacker-supplied values. But many auth service implementations only include headers when relevant—perhaps omitting role headers for basic users, or skipping certain claims based on request context.

This is a regression introduced by PR #6608 in November 2024. Deployments using forward_auth with copy_headers that were secure before that change became vulnerable when they upgraded to 2.10.0 or later.

The Fix

Caddy 2.11.2 addresses the issue by adding an unconditional Delete route for each copied header that runs before the conditional Set. Client-supplied values get stripped first, then the auth service's values (if present) get applied.

Organizations should:

1. Upgrade to 2.11.2 immediately
2. Audit access logs for suspicious header patterns that might indicate exploitation
3. Review auth service behavior to understand when headers are and aren't included

If immediate upgrade isn't possible, consider adding explicit Caddyfile rules to strip sensitive headers from incoming requests before they reach the forward_auth directive. This is a workaround, not a fix—upgrade when feasible.

Web Server Auth Complexity

Authentication forwarding introduces inherent complexity. The web server must correctly handle the interplay between client requests, auth service responses, and backend expectations. Each integration point is a potential security boundary violation.

We've seen similar issues in other reverse proxy configurations. The OpenLIT GitHub Actions vulnerability demonstrated how authentication assumptions can fail across trust boundaries, and authentication bypass patterns in network appliances show this class of vulnerability appearing repeatedly.

The Caddy issue is particularly subtle because the feature appears to work correctly in most cases. The conditional header behavior only creates a vulnerability when auth services behave in specific ways—easy to miss during testing if test accounts always receive all headers.

For security teams evaluating proxy authentication patterns, this incident underscores the importance of defense in depth. Backend services shouldn't blindly trust headers from the reverse proxy. Where possible, implement additional verification at the application layer, even if it seems redundant with proxy-level authentication. The SAP SQL injection vulnerabilities from January showed similar trust boundary issues in enterprise software.