AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-f59h-q822-g45g: Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`

highvulnerability

security

Source: GitHub Advisory DatabaseJune 16, 2026CVE-2026-52845

Summary

Caddy web server has a security flaw in how it handles headers when using `forward_auth copy_headers` (a feature that copies trusted identity headers from an authentication service) combined with `php_fastcgi` (a module that forwards requests to PHP). An attacker can send a header with underscores (like `Remote_Groups`) instead of hyphens (like `Remote-Groups`), and Caddy will delete only the hyphenated version. Later, when FastCGI converts headers to CGI variables (environment variables used by backend applications), it replaces all hyphens with underscores, causing the attacker's underscore header to become identical to the trusted header. This allows an attacker to inject fake identity or group information into PHP applications.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 16, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/caddyserver/caddy@<= 1.0.5github.com/caddyserver/caddy/v2@< 2.11.4 (fixed: 2.11.4)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-f59h-q822-g45g

First tracked: June 16, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%