auth_svc in Caldera prior to 2.6.5 allows authentication bypass (for REST API requests) via a forged "localhost" string in the HTTP Host header.
mitre caldera