Caddy Server Platform Vulnerability in HTTP Host Matching
CVE-2026-27588

7.7HIGH

Key Information:

Vendor: Caddyserver
Status: Caddy
Vendor: CVE Published:; 24 February 2026

🔔 Create Caddyserver Vulnerability Alert

What is CVE-2026-27588?

The Caddy Server platform, known for its default TLS implementation, exhibits a vulnerability in its HTTP host request matcher. Prior to version 2.11.1, this functionality is documented as case-insensitive. However, when handling a large host list (over 100 entries), it mistakenly operates as case-sensitive due to an optimized matching path. This flaw allows attackers to bypass host-based routing rules and associated access controls simply by modifying the casing of the 'Host' header. The issue has been resolved in version 2.11.1, which includes a crucial fix.

Affected Version(s)

caddy < 2.11.1

References

https://github.com/caddyserver/caddy/security/advisories/...

x_refsource_CONFIRM

https://github.com/caddyserver/caddy/releases/tag/v2.11.1

x_refsource_MISC

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2026
Vulnerability Reserved
Feb 20, 2026

CVE-2026-27588 Data

JSON