Path Sanitization Bypass in Caddy Server Affecting Specific Environments
CVE-2026-27585

6.9MEDIUM

Key Information:

Vendor

Caddyserver

Status
Caddy
Vendor
CVE Published:
24 February 2026

What is CVE-2026-27585?

Caddy, a flexible server platform that defaults to using TLS, has a vulnerability associated with its path sanitization process. Prior to version 2.11.1, the file matcher fails to properly sanitize backslashes, potentially allowing attackers to bypass certain path-related security mechanisms. This vulnerability affects specific configurations of Caddy, making it critical for users to update to version 2.11.1 or later to ensure enhanced security measures. For detailed information on the issue and updates, reference the Caddy security advisory and release notes.

Affected Version(s)

caddy < 2.11.1

References

https://github.com/caddyserver/caddy/security/advisories/...
x_refsource_CONFIRM
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c...
x_refsource_MISC
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.