caddy

v2.11.3 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 22d Reverse Proxies & Load Balancers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 5 known CVEs

Topics

acme automatic-https caddy caddyfile go http

+8 more

http-server http3 https privacy proxy security tls web-server

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 13d

Caddy v2.11.3 delivers critical security patches for fastcgi execution prevention, vars expansion fixes, admin auth bypass mitigations, and upstream dependency updates.

Why it matters: Patch to v2.11.3 immediately because CVE‑related fixes stop non‑PHP file execution in fastcgi, close GitHub advisory GHSA‑m2w3‑8f23‑hxxf on vars, block admin socket auth bypasses, and incorporate upstream security bug fixes.

Summary

AI summary

Multiple security patches address fastcgi execution, vars expansion bugs, admin auth bypasses, and upstream dependency vulnerabilities.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	merged upstream security bug fixes in quic-go and CertMagic projects merged upstream security bug fixes in quic-go and CertMagic projects Source: llm_adapter@2026-05-21 Confidence: high	—
Security	Medium	fastcgi patch prevents non-PHP files execution via CVE fix from FrankenPHP fastcgi patch prevents non-PHP files execution via CVE fix from FrankenPHP Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	vars receive more thorough fix for GitHub advisory GHSA-m2w3-8f23-hxxf vars receive more thorough fix for GitHub advisory GHSA-m2w3-8f23-hxxf Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	admin array index normalization prevents remote admin socket auth bypass admin array index normalization prevents remote admin socket auth bypass Source: llm_adapter@2026-05-21 Confidence: low	—
Security	Medium	admin path prefix matching tightened to prevent remote admin socket auth bypass admin path prefix matching tightened to prevent remote admin socket auth bypass Source: llm_adapter@2026-05-21 Confidence: low	—
Feature
Feature	Medium	vars no longer expands placeholders in values vars no longer expands placeholders in values Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	fileserver shows symlink targets verbatim fileserver shows symlink targets verbatim Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	AGENTS.md added as contribution guide AGENTS.md added as contribution guide Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	tls module adds system and combined CA pool modules tls module adds system and combined CA pool modules Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	reverseproxy adds lb_retry_match condition on response status reverseproxy adds lb_retry_match condition on response status Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	journald encoder wrapper added for logging journald encoder wrapper added for logging Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	reverseproxy clears dynamic upstreams cache during retries reverseproxy clears dynamic upstreams cache during retries Source: llm_adapter@2026-05-21 Confidence: low	—
Feature	Medium	caddytls expands ACME credentials caddytls expands ACME credentials Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency
Dependency	Medium	github.com/go-jose/go-jose/v4 bumped from 4.1.3 to 4.1.4 github.com/go-jose/go-jose/v4 bumped from 4.1.3 to 4.1.4 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	github.com/jackc/pgx/v5 bumped from 5.8.0 to 5.9.0 then to 5.9.2 github.com/jackc/pgx/v5 bumped from 5.8.0 to 5.9.0 then to 5.9.2 Source: llm_adapter@2026-05-21 Confidence: low	—
Dependency	Medium	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp bumped to 1.43.0 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp bumped to 1.43.0 Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	zstd checksum made configurable in http module zstd checksum made configurable in http module Source: llm_adapter@2026-05-21 Confidence: low	—
Performance	Medium	listeners clean up stale Unix socket files on Windows listeners clean up stale Unix socket files on Windows Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix
Bugfix	Medium	global ACME issuer settings inherited in tls shortcuts via httpcaddyfile global ACME issuer settings inherited in tls shortcuts via httpcaddyfile Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	rewrite escapes file matcher paths before rewriting rewrite escapes file matcher paths before rewriting Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	caddyhttp syncs placeholder expansion in vars and vars_regexp caddyhttp syncs placeholder expansion in vars and vars_regexp Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	notify always sends READY=1 even after error notify always sends READY=1 even after error Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	caddyhttp documents missing placeholders for escaped URI and prefixed query caddyhttp documents missing placeholders for escaped URI and prefixed query Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	{block} handling fixed in caddyfile snippets {block} handling fixed in caddyfile snippets Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	admin redacts sensitive request headers in API logs admin redacts sensitive request headers in API logs Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	admin rejects non-canonical config array indices admin rejects non-canonical config array indices Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Medium	user placeholders set before auth rejection in caddyauth user placeholders set before auth rejection in caddyauth Source: llm_adapter@2026-05-21 Confidence: low	—
Bugfix	Low	vars stops expanding placeholders inside value strings vars stops expanding placeholders inside value strings Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Bugfix	Low	fileserver displays symlink targets verbatim instead of resolving them fileserver displays symlink targets verbatim instead of resolving them Source: granite4.1:30b@2026-05-23-audit Confidence: low	—
Refactor	Medium	down-propagating Helper.BlockState introduced for other directives/plugins down-propagating Helper.BlockState introduced for other directives/plugins Source: llm_adapter@2026-05-21 Confidence: low	—
Refactor	Medium	user placeholders reverted on auth rejection in caddyauth user placeholders reverted on auth rejection in caddyauth Source: llm_adapter@2026-05-21 Confidence: low	—
Other	Medium	documentation added for fileExists and fileStat template functions documentation added for fileExists and fileStat template functions Source: llm_adapter@2026-05-21 Confidence: low	—

Full changelog

This release improves several aspects of Caddy with minor features, bug fixes, and security patches. Thank you to everyone and their bots who contributed to help make this release the best one yet!

Security patches:

fastcgi: Carrying over a patch from FrankenPHP for a bug that could allow non-PHP files to be executed; collaborated on by @dunglas, @KC1zs4, and @chenjj.
vars: A more thorough fix for https://github.com/advisories/GHSA-m2w3-8f23-hxxf, collaborated by @everping and @vnxme.
admin: Array index normalization to prevent remote admin socket auth bypass, by @Amemoyoi and bot.
admin: More rigorous path prefix matching to prevent remote admin socket auth bypass, by @Amemoyoi and bot.

We've also merged a couple PRs that fix upstream security bugs in other projects like quic-go and CertMagic. Thank you to @marten-seemann for maintaining quic-go so diligently!

What's Changed

caddyhttp: Sync placeholder expansion in vars and vars_regexp by @vnxme in https://github.com/caddyserver/caddy/pull/7573
caddytls: Avoid ACME fallback for implicit Tailscale *.ts.net policies by @steadytao in https://github.com/caddyserver/caddy/pull/7577
chore: Resolve recent CI failures by @mholt in https://github.com/caddyserver/caddy/pull/7593
caddytls: Consolidate empty APs more smartly by @mholt in https://github.com/caddyserver/caddy/pull/7567
rewrite: skip query rename when source key is absent by @steadytao in https://github.com/caddyserver/caddy/pull/7599
root: introduce down-propagating Helper.BlockState for other directives/plugins to use by @henderkes in https://github.com/caddyserver/caddy/pull/7594
http: make zstd checksum configurable by @ottenhoff in https://github.com/caddyserver/caddy/pull/7586
notify: Always send "READY=1" even after an error by @francislavoie in https://github.com/caddyserver/caddy/pull/7597
reverseproxy: Fix check for header_up Host {upstream_hostport} redundancy by @yubiuser in https://github.com/caddyserver/caddy/pull/7564
caddytls: Expand placeholders in dns_challenge override_domain tls parameter by @pberkel in https://github.com/caddyserver/caddy/pull/7609
tls: add system and combined CA pool modules by @HarshPatel5940 in https://github.com/caddyserver/caddy/pull/7406
vars: Don't expand placeholders in values by @vnxme in https://github.com/caddyserver/caddy/pull/7629
build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 by @dependabot[bot] in https://github.com/caddyserver/caddy/pull/7637
build(deps): bump the all-updates group across 1 directory with 11 updates by @dependabot[bot] in https://github.com/caddyserver/caddy/pull/7641
reverseproxy: make stream copy buffer size configurable by @steadytao in https://github.com/caddyserver/caddy/pull/7627
vars: Add matcher placeholder handling tests by @steadytao in https://github.com/caddyserver/caddy/pull/7640
build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in https://github.com/caddyserver/caddy/pull/7621
logging: Add journald encoder wrapper by @steadytao in https://github.com/caddyserver/caddy/pull/7623
caddyfile: Improve import/global options UX for imports before global options by @steadytao in https://github.com/caddyserver/caddy/pull/7642
chore: replace interface{} with any for modernization by @tsinglua in https://github.com/caddyserver/caddy/pull/7571
chore: bump timberjack to v1.4.1 by @DeRuina in https://github.com/caddyserver/caddy/pull/7618
logging: Preserve ts for journald-wrapped JSON logs by @steadytao in https://github.com/caddyserver/caddy/pull/7644
fileserver: show symlink targets verbatim (#7476) by @maxtruxa in https://github.com/caddyserver/caddy/pull/7579
fix(caddyfile): {block} in snippet by @prettysunflower in https://github.com/caddyserver/caddy/pull/7558
caddyhttp: Document missing placeholders for escaped URI and prefixed query by @steffenbusch in https://github.com/caddyserver/caddy/pull/7659
chore: add AGENTS.md by @mohammed90 in https://github.com/caddyserver/caddy/pull/7652
build(deps): bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.0 by @dependabot[bot] in https://github.com/caddyserver/caddy/pull/7655
admin: Redact sensitive request headers in API logs by @steadytao in https://github.com/caddyserver/caddy/pull/7578
reverseproxy: add lb_retry_match condition on response status by @seroperson in https://github.com/caddyserver/caddy/pull/7569
caddyhttp: prefer port 443 in auto-HTTPS and add tests by @mholt in https://github.com/caddyserver/caddy/pull/7666
fix: Propagate ECH keys to the QUIC listener by @steadytao in https://github.com/caddyserver/caddy/pull/7670
chore: Use atomics where appropriate by @francislavoie in https://github.com/caddyserver/caddy/pull/7648
metrics: Implement pushing via OLTP by @dunglas in https://github.com/caddyserver/caddy/pull/7664
logging: Add regression coverage for rotated file mode by @steadytao in https://github.com/caddyserver/caddy/pull/7620
httpcaddyfile: Inherit global ACME issuer settings in tls shortcuts by @steadytao in https://github.com/caddyserver/caddy/pull/7617
build(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2 by @dependabot[bot] in https://github.com/caddyserver/caddy/pull/7668
admin: require path segment boundary in remote access control by @Amemoyoi in https://github.com/caddyserver/caddy/pull/7673
reverseproxy: Add ability to clear dynamic upstreams cache during retries by @mholt in https://github.com/caddyserver/caddy/pull/7662
listeners: clean up stale Unix socket files on Windows by @mfrischknecht in https://github.com/caddyserver/caddy/pull/7676
admin: reject non-canonical config array indices by @Amemoyoi in https://github.com/caddyserver/caddy/pull/7592
caddytls: Expand ACME credentials by @tribut in https://github.com/caddyserver/caddy/pull/7554
caddyauth: set user placeholders before auth rejection by @cyphercodes in https://github.com/caddyserver/caddy/pull/7685
caddyauth: revert user placeholders on auth rejection by @steadytao in https://github.com/caddyserver/caddy/pull/7688
chore: Fix golangci-lint 2.12.1 findings by @steadytao in https://github.com/caddyserver/caddy/pull/7690
httpcaddyfile: accept duration strings for log sampling interval by @tomholford in https://github.com/caddyserver/caddy/pull/7694
tls: Add alpn to managed HTTPS records by @steadytao in https://github.com/caddyserver/caddy/pull/7653
caddytls: avoid duplicate automation for wildcard-covered hosts by @Rijul-A in https://github.com/caddyserver/caddy/pull/7697
docs: add documentation for fileExists and fileStat template functions by @steffenbusch in https://github.com/caddyserver/caddy/pull/7700
rewrite: escape file matcher paths before rewriting by @cyphercodes in https://github.com/caddyserver/caddy/pull/7683
metrics: Add nil check for metricsHandler in AdminMetrics.serveHTTP by @Br1an67 in https://github.com/caddyserver/caddy/pull/7553

New Contributors

@steadytao made their first contribution in https://github.com/caddyserver/caddy/pull/7577
@henderkes made their first contribution in https://github.com/caddyserver/caddy/pull/7594
@yubiuser made their first contribution in https://github.com/caddyserver/caddy/pull/7564
@pberkel made their first contribution in https://github.com/caddyserver/caddy/pull/7609
@HarshPatel5940 made their first contribution in https://github.com/caddyserver/caddy/pull/7406
@tsinglua made their first contribution in https://github.com/caddyserver/caddy/pull/7571
@maxtruxa made their first contribution in https://github.com/caddyserver/caddy/pull/7579
@seroperson made their first contribution in https://github.com/caddyserver/caddy/pull/7569
@Amemoyoi made their first contribution in https://github.com/caddyserver/caddy/pull/7673
@mfrischknecht made their first contribution in https://github.com/caddyserver/caddy/pull/7676
@tribut made their first contribution in https://github.com/caddyserver/caddy/pull/7554
@cyphercodes made their first contribution in https://github.com/caddyserver/caddy/pull/7685
@tomholford made their first contribution in https://github.com/caddyserver/caddy/pull/7694
@Rijul-A made their first contribution in https://github.com/caddyserver/caddy/pull/7697
@Br1an67 made their first contribution in https://github.com/caddyserver/caddy/pull/7553

Full Changelog: https://github.com/caddyserver/caddy/compare/v2.11.2...v2.11.3

Security Fixes

fastcgi: Patch prevents execution of non-PHP files (collaboration with @dunglas, @KC1zs4, @chenjj)
vars: Thorough fix for GHSA-m2w3-8f23-hxxf
admin: Array index normalization to prevent remote auth bypass (by @Amemoyoi and bot)
admin: More rigorous path prefix matching to prevent remote auth bypass (by @Amemoyoi and bot)
dep: Upstream security fixes merged for quic-go and CertMagic

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track caddy

Get notified when new releases ship.

About caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

All releases →

Related context

Related tools

Featured in

2026-W20