SB2026042757 - Multiple vulnerabilities in Caddy
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 secuirty vulnerabilities.
1) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-27585)
The vulnerability allows a remote attacker to bypass path-related security protections.
The vulnerability exists due to improper sanitization of glob characters in the file matcher when expanding request paths into glob patterns for the try_files directive. A remote attacker can send a specially crafted request path containing backslashes to bypass path-related security protections.
It affects configurations where try_files is used with path-based filtering or upstream access restrictions, and directive ordering can influence whether the protection is bypassed.
2) Improper handling of exceptional conditions (CVE-ID: CVE-2026-27586)
The vulnerability allows a remote attacker to bypass mTLS client certificate authentication.
The vulnerability exists due to improper exception handling in ClientAuthentication.provision() in modules/caddytls/connpolicy.go when processing configured CA certificate files. A remote attacker can present a client certificate signed by an unintended trusted CA to bypass mTLS client certificate authentication.
The issue occurs when the configured CA certificate file is missing, unreadable, or malformed, causing the server to start without error and fall back to the system root pool instead of the intended private CA trust boundary.
3) Improper access control (CVE-ID: CVE-2026-27587)
The vulnerability allows a remote attacker to bypass path-based routing and access controls.
The vulnerability exists due to improper access control in the MatchPath path request matcher when processing request paths containing percent-escape sequences. A remote attacker can send a specially crafted request path with altered casing to bypass path-based routing and access controls.
Exploitation requires a deployment that uses path matchers with %xx patterns to protect sensitive endpoints, and the issue can lead to unauthorized access depending on upstream configuration.
4) Improper access control (CVE-ID: CVE-2026-27588)
The vulnerability allows a remote attacker to bypass host-based routing and access controls.
The vulnerability exists due to improper access control in the MatchHost host request matcher when handling requests with modified Host header casing in large host lists. A remote attacker can send a specially crafted request with altered Host header casing to bypass host-based routing and access controls.
Only configurations using host matchers with more than 100 entries are affected.
5) Cross-site request forgery (CVE-ID: CVE-2026-27589)
The vulnerability allows a remote attacker to apply an arbitrary configuration and alter server behavior.
The vulnerability exists due to cross-site request forgery in the /load admin endpoint when processing cross-origin requests to the local admin API with origin enforcement disabled. A remote attacker can cause a victim browser to send a specially crafted request to apply an arbitrary configuration and alter server behavior.
User interaction is required, and exploitation requires Caddy to be running with the local admin API enabled and origin enforcement not configured.
6) Input validation error (CVE-ID: CVE-2026-27590)
The vulnerability allows a remote attacker to execute unintended PHP code.
The vulnerability exists due to incorrect calculation of a path split index in fastcgi.Transport.splitPos() and buildEnv() in the FastCGI transport when processing crafted request paths containing Unicode characters whose lowercase form changes UTF-8 byte length. A remote attacker can send a specially crafted request path to execute unintended PHP code.
Exploitation depends on deployment conditions that allow attacker-controlled file contents to be resolved as SCRIPT_FILENAME, such as upload features or writable directories.
Remediation
Install update from vendor's website.
References
- https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4
- https://github.com/advisories/GHSA-4xrr-hq4w-6vf4
- https://github.com/caddyserver/caddy/security/advisories/GHSA-hffm-g8v7-wrv7
- https://github.com/advisories/GHSA-hffm-g8v7-wrv7
- https://github.com/caddyserver/caddy/security/advisories/GHSA-g7pc-pc7g-h8jh
- https://github.com/advisories/GHSA-g7pc-pc7g-h8jh
- https://github.com/caddyserver/caddy/security/advisories/GHSA-x76f-jf84-rqj8
- https://github.com/advisories/GHSA-x76f-jf84-rqj8
- https://github.com/caddyserver/caddy/security/advisories/GHSA-879p-475x-rqh2
- https://github.com/advisories/GHSA-879p-475x-rqh2
- https://github.com/caddyserver/caddy/security/advisories/GHSA-5r3v-vc8m-m96g