CVE-2026-27587
CRITICAL
GHSA-g7pc-pc7g-h8jh
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
Analysis
Case sensitivity bypass in Caddy web server path matching before 2.11.1. HTTP path matchers can be bypassed using alternate casing on case-insensitive filesystems. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all Caddy instances and their versions; disable or restrict HTTP path matchers containing percent-escape sequences if operationally feasible; enable enhanced logging on path-based access controls. Within 7 days: implement WAF rules to normalize and validate URL encoding before requests reach Caddy; segment affected systems from sensitive data stores; establish daily vulnerability scanning. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today