CVE-2026-24853 Overview
CVE-2026-24853 is an authentication bypass vulnerability in Caido, a web security auditing toolkit. Prior to version 0.55.0, Caido implements domain whitelisting to restrict which hosts can connect through port 8080, displaying a "Host/IP is not allowed to connect to Caido" error message for blocked domains. However, this security control can be bypassed by injecting a malicious X-Forwarded-Host: 127.0.0.1:8080 header into HTTP requests, allowing unauthorized access to the Caido interface.
Critical Impact
Attackers can bypass domain whitelisting controls to gain unauthorized access to the Caido web security auditing interface, potentially exposing sensitive security testing data and configurations.
Affected Products
- Caido versions prior to 0.55.0
Discovery Timeline
- 2026-02-13 - CVE CVE-2026-24853 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-24853
Vulnerability Analysis
This vulnerability falls under CWE-290 (Authentication Bypass by Spoofing), where the application relies on HTTP headers that can be manipulated by attackers to make trust decisions. Caido's domain whitelisting mechanism is designed to prevent unauthorized hosts from accessing the security auditing toolkit through port 8080. When a non-whitelisted domain attempts to connect, the application should block the request and display an error message.
The flaw exists in how Caido processes and trusts the X-Forwarded-Host header. This header is typically used by reverse proxies to indicate the original host requested by the client. However, Caido fails to properly validate or sanitize this header, allowing attackers to inject a trusted localhost value (127.0.0.1:8080) to spoof their origin and bypass the domain whitelist entirely.
Root Cause
The root cause is improper validation of the X-Forwarded-Host HTTP header. Caido trusts this header for making access control decisions without verifying whether the request actually originated from a legitimate reverse proxy. This allows direct client connections to manipulate the header and impersonate trusted hosts, effectively circumventing the domain whitelisting security mechanism.
Attack Vector
The attack is network-based and can be executed remotely without authentication. An attacker sends an HTTP request to the Caido instance on port 8080 with a crafted X-Forwarded-Host header set to 127.0.0.1:8080. When Caido processes this request, it reads the spoofed header value and incorrectly determines that the connection originates from a whitelisted localhost address, granting access that should have been denied.
The attack requires no user interaction and can be performed by any network-connected attacker who can reach the Caido instance. Once the whitelist bypass is achieved, the attacker gains access to the Caido security auditing interface, which may contain sensitive information about ongoing security assessments, target configurations, and discovered vulnerabilities.
Detection Methods for CVE-2026-24853
Indicators of Compromise
- HTTP requests containing X-Forwarded-Host headers with localhost values (127.0.0.1, localhost, ::1) from external sources
- Unusual access patterns to Caido's port 8080 from non-whitelisted IP addresses
- Authentication logs showing successful connections that should have been blocked by domain whitelisting
Detection Strategies
- Monitor incoming HTTP requests for suspicious X-Forwarded-Host header manipulation attempts
- Implement network-level monitoring to detect external connections using localhost spoofing in headers
- Review web server access logs for requests containing X-Forwarded-Host: 127.0.0.1:8080 patterns from untrusted sources
Monitoring Recommendations
- Enable verbose logging on Caido instances to capture full HTTP headers for forensic analysis
- Deploy WAF rules to detect and alert on X-Forwarded-Host header injection attempts
- Establish baseline network behavior for Caido instances and alert on deviations in connection sources
How to Mitigate CVE-2026-24853
Immediate Actions Required
- Upgrade Caido to version 0.55.0 or later immediately to apply the security fix
- Restrict network access to Caido instances using firewall rules to limit exposure
- Review access logs for any signs of exploitation using the X-Forwarded-Host bypass technique
Patch Information
The vulnerability is fixed in Caido version 0.55.0. Users should upgrade to this version or later to remediate the issue. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or WAF in front of Caido that strips or validates X-Forwarded-Host headers from incoming requests
- Implement network segmentation to limit which hosts can reach Caido's listening port
- Configure firewall rules to only allow connections from explicitly trusted IP addresses until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
