Back to search

Caddyserver

Caddy

See the latest tracked release, confirm when it was published, and subscribe for update emails.

Current version
Last checked: 2026-06-03

2.11.4

Release date
June 03, 2026
Security status
2 high-severity CVEs tracked in the last 90 days. Current version not affected.

Source

GitHub API

Public release notes are linked for the latest stored release.

View release notes Subscribe to updates

Release history

See the latest published releases stored for this product.

Version Published Notes
2.11.4 2026-06-03 Release Notes
2.11.3 2026-05-12 Release Notes
2.11.2 2026-03-06 Release Notes

Vulnerability tracking

versionPing monitors CVEs for this product. Matching CVEs are listed below. We only display CVEs with a CVSS score of 7.0 or higher that were published within the last 90 days.

Affected status is inferred from published affected version ranges where available. Always verify against the vendor advisory before making production decisions.

CVE Severity Published Status Summary
CVE-2026-30852 HIGH (7.5) 2026-03-07 Current versionnot affected

Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then passed through repl.ReplaceAll() again (the bug). This means an attacker can put {env.DATABASE_URL} or {file./etc/passwd} in a request header and the server will evaluate it, leaking environment variables, file contents, and system info. This issue has been patched in version 2.11.2.

Affected versions
  • From (including) 2.7.5 - Up to (excluding) 2.11.2
CVE-2026-30851 HIGH (8.8) 2026-03-07 Current versionnot affected

Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.

Affected versions
  • From (including) 2.10.0 - Up to (excluding) 2.11.2
versionPing is an unofficial free service that tracks software releases and notifies you when CVEs and updates are available. Built by an engineer for engineers.ImprintPrivacy Notice