Skip to main content

Caido CVE-2026-24853

HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-02-13 security-advisories@github.com
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 13, 2026 - 23:16 nvd
HIGH 8.1

DescriptionGitHub Advisory

Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0.

AnalysisAI

Caido versions prior to 0.55.0 can be bypassed using a crafted X-Forwarded-Host header to circumvent domain whitelist restrictions, allowing unauthenticated remote attackers to reach non-whitelisted domains through port 8080. This vulnerability affects all users of the web security auditing toolkit and could enable attackers to exfiltrate data or attack internal systems. No patch is currently available for affected versions.

Technical ContextAI

Classified as CWE-290 (Authentication Bypass by Spoofing). Affects Caido. Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0.

RemediationAI

Fixed in version 0.55.0.. Restrict network access to the affected service where possible.

Share

CVE-2026-24853 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy