Caddy is an extensible server platform that uses TLS by default.
Update Information:
Security update resolving 17 CVEs across both caddy itself and its vendored libraries.
* Tue Jun 23 2026 Carl George
[ 1 ] Bug #2488094 - CVE-2026-30851 caddy: Caddy: Privilege escalation via identity injection due to unstripped client headers [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488094
[ 2 ] Bug #2488095 - CVE-2026-30852 caddy: Caddy: Information disclosure via double-expansion of user-controlled input [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488095
[ 3 ] Bug #2488141 - CVE-2026-40097 caddy: Step CA: Denial of Service via crafted attestation key certificate [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488141
[ 4 ] Bug #2488502 - CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488502
[ 5 ] Bug #2488503 - CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2488503
[ 6 ] Bug #2488514 - CVE-2026-275...
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-950cac64f2' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
Get the latest Linux and open source security news straight to your inbox.