Improper access control in Caddy - CVE-2026-27588
Published: April 27, 2026
Vulnerability identifier: #VU128031
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-27588
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Caddy
Affected software:
Caddy
Caddy
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass host-based routing and access controls.
The vulnerability exists due to improper access control in the MatchHost host request matcher when handling requests with modified Host header casing in large host lists. A remote attacker can send a specially crafted request with altered Host header casing to bypass host-based routing and access controls.
Only configurations using host matchers with more than 100 entries are affected.
How to mitigate CVE-2026-27588
Install security update from vendor's website.