CVE-2026-24853 PUBLISHED

Caido has an insufficient patch for DNS rebind leading to RCE

Assigner: GitHub_M
Reserved: 27.01.2026 Published: 13.02.2026 Updated: 13.02.2026

Caido is a web security auditing toolkit. Prior to 0.55.0, Caido blocks non whitelisted domains to reach out through the 8080 port, and shows Host/IP is not allowed to connect to Caido on all endpoints. But this is bypassable by injecting a X-Forwarded-Host: 127.0.0.1:8080 header. This vulnerability is fixed in 0.55.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	caido
Product	caido
Versions	Version < 0.55.0 is affected

References

https://github.com/caido/caido/security/advisories/GHSA-3q5q-p8vj-8783

Problem Types

CWE-290: Authentication Bypass by Spoofing CWE