Caddy v2.11.3 released on 12-05-2026
Caddy v2.11.3 is out now. Operators and administrators benefit from security and admin hardening that prevents non‑PHP files from being executed and closes several remote admin socket auth bypasses.
See the full changelog on GitHub for details and the complete list of fixes and improvements: https://github.com/caddyserver/caddy/compare/v2.11.2…v2.11.3
What’s in this release
- Security and admin hardening: fastcgi patch to prevent execution of non‑PHP files, a more complete vars GHSA fix, and multiple admin fixes that close remote admin socket auth bypasses.
- TLS, ACME and transport improvements: avoid ACME fallback for implicit Tailscale policies, add ALPN to managed HTTPS records, propagate ECH keys to the QUIC listener and prefer port 443 when auto‑HTTPS selects a default.
- Request handling and observability: sync placeholder behaviour, avoid inappropriate placeholder expansion, configurable reverseproxy stream copy buffer size, journald and OTLP metric improvements, and redaction of sensitive request headers in API logs.
Upgrade notes
- No breaking changes are called out in the release notes; review the full changelog on GitHub before upgrading.
- If you need to roll back, the previous tag in the changelog comparison is v2.11.2; follow your usual rollback procedure.
Please share comments on your upgrade experience or any issues you spot after updating.
