High severity8.2NVD Advisory· Published May 19, 2026· Updated May 19, 2026

Caddy Defender trusted proxy client IP bypass

CVE-2026-46415

Description

Impact

Caddy Defender used r.RemoteAddr when evaluating whether a request should be blocked. RemoteAddr is the address of the immediate peer connected to Caddy.

In deployments where Caddy is behind a trusted proxy, CDN, or load balancer, the immediate peer is usually the proxy, not the original client. Caddy resolves the original client address into its client_ip request variable after applying the configured trusted_proxies policy, but Defender did not use that value.

As a result, clients from blocked IP ranges could bypass Defender when accessing Caddy through a trusted proxy whose own IP address was not blocked. This affects deployments that use Defender behind trusted proxies and expect it to enforce blocking based on the real client IP.

Patches

The issue is fixed by making Defender prefer Caddys resolved client_ip request variable when it is available. Defender falls back to RemoteAddr only when Caddy has not provided a resolved client IP.

Users should upgrade to v0.10.1 or later.

Workarounds

There is no complete workaround in affected Defender versions for deployments that rely on Caddys trusted proxy client IP resolution.

Until upgrading, affected users should enforce equivalent IP blocking at the trusted proxy, CDN, load balancer, firewall, or other edge layer before traffic reaches Caddy.

Deployments where Caddy receives traffic directly from clients, without an intermediate trusted proxy, are not affected by this bypass.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Caddy Defender v0.10.0 and earlier uses the proxy's IP instead of the real client IP behind trusted proxies, allowing bypass of IP-based blocking rules.

Vulnerability

Caddy Defender versions before v0.10.1 used r.RemoteAddr (the immediate peer address) when evaluating whether to block a request [2][3]. In deployments where Caddy runs behind a trusted proxy, CDN, or load balancer, RemoteAddr is the proxy’s address, not the original client’s IP. Caddy itself resolves the real client IP into its client_ip request variable after applying the configured trusted_proxies policy, but Defender ignored that variable [1].

Exploitation

An attacker whose IP is in a Defender-blocked range can bypass the block if they route traffic through a trusted proxy whose own IP address is not blocked [2]. The attacker sends requests to the proxy, which forwards them to Caddy; Defender sees the proxy’s IP and permits the request [3]. No special authentication or prior access is required beyond the ability to reach the trusted proxy.

Impact

Successful exploitation defeats Defender’s IP-based blocking and manipulation features (e.g., blocking, garbage responses, tarpit) [2]. This enables AI crawlers, scrapers, or other unwanted clients listed in Defender’s configured ranges to access the site as if they were not blocked, violating the administrator’s access control intent [1].

Mitigation

Upgrade to Caddy Defender v0.10.1 or later, where Defender prefers Caddy’s resolved client_ip variable over RemoteAddr [2][3][4]. No complete workaround exists for affected versions; as a temporary measure, administrators can enforce equivalent IP blocking at the trusted proxy, CDN, load balancer, or firewall before traffic reaches Caddy [2]. Deployments where Caddy receives traffic directly from clients (no intermediate trusted proxy) are not affected [2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000