{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/caddy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["caddy-defender (\u003c 0.10.1)"],"_cs_severities":["high"],"_cs_tags":["cve","defender","proxy","bypass","ghsa"],"_cs_type":"advisory","_cs_vendors":["Caddy"],"content_html":"\u003cp\u003eCaddy Defender, a middleware for the Caddy web server, is susceptible to a client IP address bypass vulnerability, identified as CVE-2026-46415, in versions prior to v0.10.1. This flaw arises when Caddy Defender is deployed behind a trusted proxy, CDN, or load balancer. The issue stems from Defender\u0026rsquo;s reliance on \u003ccode\u003er.RemoteAddr\u003c/code\u003e for evaluating request blocking, which reflects the IP address of the immediate peer (the proxy) rather than the originating client. Consequently, clients within blocked IP ranges can circumvent Defender\u0026rsquo;s intended restrictions by routing their traffic through a trusted proxy whose IP address is not blocked. Organizations using Caddy Defender behind trusted proxies to enforce IP-based access control are particularly vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA client with a blocked IP address attempts to access a protected resource.\u003c/li\u003e\n\u003cli\u003eThe client\u0026rsquo;s traffic is routed through a trusted proxy, CDN, or load balancer.\u003c/li\u003e\n\u003cli\u003eThe trusted proxy forwards the request to the Caddy web server.\u003c/li\u003e\n\u003cli\u003eCaddy Defender receives the request and evaluates the IP address for blocking.\u003c/li\u003e\n\u003cli\u003eDefender incorrectly uses \u003ccode\u003er.RemoteAddr\u003c/code\u003e, which reflects the trusted proxy\u0026rsquo;s IP address, not the client\u0026rsquo;s.\u003c/li\u003e\n\u003cli\u003eSince the proxy\u0026rsquo;s IP is not blocked, Defender allows the request to proceed.\u003c/li\u003e\n\u003cli\u003eThe client successfully accesses the protected resource, bypassing the intended IP-based restriction.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or performs actions they should be restricted from.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-46415) enables unauthorized access to protected resources by clients that should be blocked based on their IP address. This bypass can lead to data breaches, service disruption, or other malicious activities, depending on the resources protected by Caddy Defender. The severity is high because it directly undermines the intended security functionality of Caddy Defender when deployed behind trusted proxies.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Caddy Defender to version v0.10.1 or later to remediate the CVE-2026-46415 vulnerability, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Caddy Defender IP Bypass Attempt\u0026rdquo; to identify potential exploitation attempts by monitoring for requests originating from known blocked IP ranges based on web server logs.\u003c/li\u003e\n\u003cli\u003eUntil upgrading, enforce equivalent IP blocking at the trusted proxy, CDN, load balancer, or firewall layer as a workaround, as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T20:31:38Z","date_published":"2026-05-19T20:31:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-caddy-defender-bypass/","summary":"Caddy Defender versions before v0.10.1 are vulnerable to a client IP bypass (CVE-2026-46415) when deployed behind a trusted proxy, allowing blocked clients to bypass Defender's IP-based restrictions.","title":"Caddy Defender Client IP Bypass Vulnerability (CVE-2026-46415)","url":"https://feed.craftedsignal.io/briefs/2026-05-caddy-defender-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Caddy","version":"https://jsonfeed.org/version/1.1"}