Skip to content

Release history

caddy releases

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

Back to tool Latest release

All releases

4 shown

Review required
v2.11.4 Security relevant
Auth RBAC

Security patches + deps upgrade

Open
Upgrade now
v2.11.3 Security relevant
Auth RCE / SSRF

Security patches

Open
v2.11.2 Security relevant
Security fixes
  • forward_auth identity injection and privilege escalation vulnerability fixed
  • vars_regexp placeholder double-expansion vulnerability allowing secret revelation fixed
Notable features
  • New tls_resolvers global option to control DNS resolvers for ACME DNS challenge
  • Log rolling now supports zstd compression
  • Dynamic upstreams now tracked for passive health checking
View release on GitHub
v2.11.1 Security relevant
Security fixes
  • CVE-2026-27590 - FastCGI: Unicode case-folding length expansion causes incorrect SCRIPT_NAME/PATH_INFO split
  • CVE-2026-27589 - Admin API: no-cors mode cross-origin requests could bypass security
  • CVE-2026-27588 - Host matcher becomes case-sensitive for lists >100 items
Notable features
  • Encrypted ClientHello (ECH) keys now rotate automatically
  • SIGUSR1 can reload configuration from command line
  • Reverse proxy automatically rewrites Host header to upstream HTTPS address
View release on GitHub

Beta — feedback welcome: [email protected]