CVE-2026-24853 in Caido
Summary
by MITRE • 02/14/2026
Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability described in CVE-2026-24853 represents a critical access control bypass in Caido, a web security auditing toolkit designed for penetration testing and security assessment. This issue affects versions prior to 0.55.0 and demonstrates a fundamental flaw in the application's network access controls that could potentially allow unauthorized internal network access. The vulnerability specifically targets the toolkit's outbound connection restrictions that are intended to prevent external domains from reaching the application through port 8080, which is typically used for proxy services in security auditing tools. The security mechanism was designed to enforce a whitelist approach, blocking any host or IP address that was not explicitly permitted to connect to the Caido application's proxy endpoint.
The technical exploitation of this vulnerability relies on HTTP header manipulation to circumvent the intended access controls. Attackers can inject a X-Forwarded-Host header containing the value 127.0.0.1:8080, effectively bypassing the domain whitelisting mechanism that was supposed to restrict connections to only approved external hosts. This header injection technique exploits the application's trust in forwarded headers without proper validation of the originating source. The vulnerability essentially allows attackers to spoof the host header, making the application believe that the connection is coming from an authorized internal address rather than an external unauthorized source. This bypass mechanism demonstrates a lack of proper input validation and header sanitization within the application's proxy handling logic.
The operational impact of this vulnerability is significant for organizations using Caido for security assessments, as it could enable malicious actors to gain unauthorized access to internal systems that the toolkit is designed to protect. When an attacker successfully exploits this vulnerability, they can potentially access internal services that would normally be restricted by the application's network policies. This bypass could lead to unauthorized data access, internal network reconnaissance, and potentially more severe consequences depending on the network architecture and the services running on port 8080. The vulnerability essentially undermines the security boundaries that the toolkit is supposed to maintain, potentially exposing sensitive internal infrastructure to external threats.
The fix implemented in version 0.55.0 addresses this issue by strengthening the validation mechanisms for forwarded headers and ensuring that the application properly validates the source of connection requests. This update likely includes enhanced header sanitization, improved access control logic, and more robust validation of the X-Forwarded-Host header to prevent spoofing attacks. Organizations using Caido should immediately upgrade to version 0.55.0 or later to mitigate this vulnerability. The remediation process should also include reviewing existing configurations and access controls to ensure that no unauthorized access has occurred during the vulnerability's existence. This issue aligns with CWE-284, which covers improper access control, and could be categorized under ATT&CK technique T1046 for network service scanning and T1071 for application layer protocol, demonstrating how header manipulation can be used to bypass network security controls.
This vulnerability highlights the importance of proper input validation and the principle of least privilege in security applications, particularly those designed to operate as proxies or gateways between external and internal networks. The issue serves as a reminder that applications must not trust forwarded headers without proper validation, and that access control mechanisms should be implemented at multiple layers of the application architecture. Organizations should conduct thorough security assessments of their web security tools to ensure that similar bypass vulnerabilities do not exist in other components of their security infrastructure.