CVE-2026-45045 Overview
CVE-2026-45045 affects Fiber, an Express-inspired web framework written in Go. The BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting the X-Real-IP header. This behavior preserves any attacker-supplied X-Real-IP value in the request as the first entry forwarded to upstream servers. Upstream services that rely on X-Real-IP for logging, rate limiting, or access control decisions will read the spoofed value. The issue is fixed in Fiber 3.3.0 and 2.52.14. The weakness maps to CWE-290: Authentication Bypass by Spoofing.
Critical Impact
Remote attackers can spoof their client IP address to upstream services behind a Fiber proxy, bypassing IP-based access controls, rate limiting, and audit logging.
Affected Products
- Fiber web framework versions prior to 2.52.14 (v2 branch)
- Fiber web framework versions prior to 3.3.0 (v3 branch)
- Applications using middleware/proxyBalancerForward helper
Discovery Timeline
- 2026-07-08 - CVE-2026-45045 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-45045
Vulnerability Analysis
The defect resides in the BalancerForward function within middleware/proxy/proxy.go. Fiber's proxy middleware is designed to forward the real client IP address to upstream servers using the X-Real-IP header. The intent is to overwrite any client-supplied X-Real-IP value with the trusted value derived from c.IP(). However, the implementation uses Header.Add(), which appends the value rather than replacing existing entries.
When Go's net/http client serializes multi-valued headers, downstream applications that read only the first X-Real-IP value receive the attacker-controlled input. Services relying on this header for audit trails, geolocation, or authorization decisions will act on a forged identity. The vulnerability requires no authentication and can be triggered over the network with a single crafted HTTP request.
Root Cause
The root cause is misuse of the Go net/http header API. Header.Add() appends a value to any existing header list, while Header.Set() replaces the list with a single entry. Because HTTP headers are multi-valued by design, appending a client-controlled value leaves the original attacker header intact for downstream consumers to parse.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to a Fiber application that forwards traffic through BalancerForward. The request includes a spoofed X-Real-IP header containing a chosen IP address. The Fiber proxy appends the trusted IP but preserves the attacker value as the first entry. Upstream services that inspect only the first header instance treat the request as originating from the spoofed address.
// Source: https://github.com/gofiber/fiber/commit/1403cc8292da3220e9316960b4030cc722a0f396
if !strings.HasPrefix(server, "http") {
server = "http://" + server
}
- c.Request().Header.Add("X-Real-IP", c.IP())
+ c.Request().Header.Set("X-Real-IP", c.IP())
return Do(c, server+c.OriginalURL(), clients...)
}
}
The patch replaces Header.Add() with Header.Set(), ensuring any prior X-Real-IP value from the client request is discarded before the trusted IP is written. An identical backport was applied to the v2 branch in commit 33c9501.
Detection Methods for CVE-2026-45045
Indicators of Compromise
- Requests to Fiber-fronted upstream services containing multiple X-Real-IP header values in a single HTTP request
- Upstream access logs showing an X-Real-IP value that does not match the connection source IP recorded by the proxy
- Rate-limit or access-control decisions applied to IPs from ranges that do not correspond to legitimate client geographies
Detection Strategies
- Inspect HTTP request captures at the upstream service for repeated X-Real-IP headers and compare the first and last values
- Correlate proxy connection logs with upstream application logs to identify divergence between the observed TCP source IP and the X-Real-IP value logged upstream
- Audit Go dependency manifests (go.mod, go.sum) for github.com/gofiber/fiber/v2 versions below 2.52.14 or github.com/gofiber/fiber/v3 versions below 3.3.0
Monitoring Recommendations
- Enable request header logging on upstream services that consume X-Real-IP and alert on requests carrying more than one instance of the header
- Monitor authorization failures and rate-limit hits grouped by X-Real-IP to identify anomalous distributions consistent with spoofing
- Track deployed Fiber versions across CI/CD pipelines and container registries to identify unpatched builds
How to Mitigate CVE-2026-45045
Immediate Actions Required
- Upgrade Fiber to version 3.3.0 for the v3 branch or 2.52.14 for the v2 branch
- Rebuild and redeploy any Go binaries that statically link the vulnerable Fiber versions
- Review upstream services to ensure they read only the trusted, last-appended X-Real-IP value or, preferably, use the connection source IP for authorization
Patch Information
The fix is delivered in Fiber v3.3.0 via pull request #4260 and backported to Fiber v2.52.14 via pull request #4495. Full details are in the GitHub Security Advisory GHSA-gcfq-8gqf-4876.
Workarounds
- Strip any incoming X-Real-IP header at the edge before it reaches the Fiber BalancerForward handler using a custom middleware that calls c.Request().Header.Del("X-Real-IP")
- Configure upstream services to derive the client IP from the TCP connection or from a trusted header set exclusively by a hardened reverse proxy such as nginx or Envoy
- Restrict inbound traffic to Fiber proxy endpoints so only trusted network segments can send requests with client-controlled headers
# Update Fiber to the patched release
go get github.com/gofiber/fiber/v3@v3.3.0
# Or for the v2 branch
go get github.com/gofiber/fiber/v2@v2.52.14
go mod tidy
go build ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

