Caddy v2.11.3 released on 12-05-2026
Caddy v2.11.3 is out now. Operators and site administrators benefit from multiple security hardenings and reliability improvements across FastCGI, the admin API, TLS/ACME and QUIC.
See the release notes and download links on the project GitHub for full details and upgrade instructions: https://github.com/caddyserver/caddy/compare/v2.11.2…v2.11.3
What’s in this release
- Security fixes: FastCGI patch (ported from FrankenPHP) that prevented non‑PHP files being executed, a more complete vars fix for the GHSA advisory, and several admin hardenings to stop remote admin socket auth bypasses.
- TLS/ACME and QUIC refinements: implicit Tailscale *.ts.net policies no longer fall back to ACME, expanded ACME credential/issuer inheritance and ALPN for managed HTTPS records, plus ECH key propagation and upstream quic‑go/CertMagic fixes.
- Reverse proxy and reliability tweaks: fixes for redundant Host header handling, configurable stream copy buffer size, new lb_retry_match condition and the ability to clear dynamic upstreams cache during retries, plus assorted rewrite and query fixes.
Upgrade notes
- No breaking changes are reported for v2.11.3; upgrade is recommended to close the security vectors. Follow the upgrade guidance and see the full changelog on GitHub: https://github.com/caddyserver/caddy/compare/v2.11.2…v2.11.3
- If you must roll back, reinstall the previous tag (v2.11.2) — the compare/changelog above shows the changes between the two releases to help diagnosis.
Let us know how the upgrade goes or report any issues on the project’s GitHub — feedback on compatibility and observability changes is especially useful.
