AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-7r4p-vjf4-gxv4: Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 6, 2026CVE-2026-30851

Summary

# Analysis ## Summary Caddy's `forward_auth` directive with `copy_headers` fails to remove client-supplied headers when an upstream auth service (an external server that validates user identity) doesn't include those headers in its response, allowing an authenticated attacker to inject arbitrary values for trusted identity headers and escalate privileges. This regression was introduced in November 2024 and affects all stable versions from v2.10.0 onward. ## Solution The source text states: "

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack SophisticationModerate

Affected Packages

github.com/caddyserver/caddy/v2/modules/caddyhttp/reverseproxy@>= 2.10.0, < 2.11.2 (fixed: 2.11.2)

Original source: https://github.com/advisories/GHSA-7r4p-vjf4-gxv4

First tracked: March 6, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 95%