Improper handling of exceptional conditions in Caddy - CVE-2026-27586
Published: April 27, 2026
Vulnerability identifier: #VU128029
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-27586
CWE-ID: CWE-755
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Caddy
Affected software:
Caddy
Caddy
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass mTLS client certificate authentication.
The vulnerability exists due to improper exception handling in ClientAuthentication.provision() in modules/caddytls/connpolicy.go when processing configured CA certificate files. A remote attacker can present a client certificate signed by an unintended trusted CA to bypass mTLS client certificate authentication.
The issue occurs when the configured CA certificate file is missing, unreadable, or malformed, causing the server to start without error and fall back to the system root pool instead of the intended private CA trust boundary.
How to mitigate CVE-2026-27586
Install security update from vendor's website.