Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Dismissed
Permalink CVE-2026-30851
8.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
updated 2 weeks ago by @mweinelt Activity log
  • Created automatic suggestion 2 weeks ago
  • @mweinelt removed
    7 packages
    • xcaddy
    • caddyfile-language-server
    • vimPlugins.nvim-treesitter-parsers.caddy
    • tree-sitter-grammars.tree-sitter-caddyfile
    • vscode-extensions.matthewpi.caddyfile-support
    • python313Packages.tree-sitter-grammars.tree-sitter-caddyfile
    • python314Packages.tree-sitter-grammars.tree-sitter-caddyfile
    2 weeks ago
  • @mweinelt dismissed 2 weeks ago
Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.

References

Affected products

caddy
  • ==>= 2.10.0, < 2.11.2

Matching in nixpkgs

Ignored packages (7)

Package maintainers

NixOS Unstable: https://github.com/NixOS/nixpkgs/pull/497116
NixOS 25.11: https://github.com/NixOS/nixpkgs/pull/497197