Go modules package
github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy
pkg:golang/github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy
Vulnerabilities (1)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30851 | — | >= 2.10.0, < 2.11.2 | 2.11.2 | Mar 7, 2026 | Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2. |
- CVE-2026-30851Mar 7, 2026affected >= 2.10.0, < 2.11.2fixed 2.11.2
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.