CVE-2026-52845
Published: 23 June 2026
Summary
CVE-2026-52845 is a high-severity Improper Authentication (CWE-287) vulnerability in Caddyserver Caddy. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-38558
Vulnerability details
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy…
more
normalizes HTTP headers into CGI variables by replacing - with _. This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable. Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy. This vulnerability is fixed in 2.11.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote header spoofing bypass in public-facing Caddy server directly enables exploitation of the application (T1190).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Detects unauthorized successful logons resulting from improper authentication implementations.
Security awareness training instructs users on secure authentication practices and avoiding credential compromise.
Identity proofing requires collecting, validating, and verifying evidence to resolve claims to unique individuals, directly preventing insufficient proof of identity during account establishment.
Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses.
Mandates unique identification and authentication of non-organizational users, directly mitigating improper authentication.
Requires unique identification and authentication of services before any communications, directly mitigating improper authentication.
Requires authentication mechanisms on the wireless link, making improper authentication weaknesses harder to exploit.
Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.