What is the CVSS score of CVE-2026-27588?

CVE-2026-27588 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of TLS are affected by CVE-2026-27588?

Caddy web servers with large host configurations (>100 entries) are vulnerable to authentication and access control bypass due to case-sensitive host matching inconsistency.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27588?

Yes, a public proof-of-concept exploit is available for CVE-2026-27588. Prioritise patching immediately. EPSS: 0.0%.

TLS CVE-2026-27588

CRITICAL

Improper Handling of Case Sensitivity (CWE-178)

2026-02-24 security-advisories@github.com

GHSA-x76f-jf84-rqj8

TLS Caddy Suse

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 25, 2026 - 17:10 vuln.today

Public exploit code

CVE Published

Feb 24, 2026 - 17:29 nvd

CRITICAL 9.1

DescriptionNVD

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP host request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the Host header. Version 2.11.1 contains a fix for the issue.

AnalysisAI

Host header case sensitivity bypass in Caddy before 2.11.1. Virtual host routing can be bypassed by using alternate casing in the Host header. …

RemediationAI

Within 24 hours: Inventory all Caddy deployments and identify instances with >100 host entries in configuration; implement emergency WAF rules to normalize request headers to lowercase. Within 7 days: Reduce host list entries below 100 where possible through consolidation or wildcard patterns; isolate affected Caddy instances from untrusted networks. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-27588 vulnerability details – vuln.today

Back

TLS CVE-2026-27588

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code