Path Confusion Vulnerability in Caddy Server by Caddy Software
CVE-2026-27590

8.9HIGH

Key Information:

Vendor

Caddyserver

Status
Caddy
Vendor
CVE Published:
24 February 2026

What is CVE-2026-27590?

Prior to version 2.11.1, Caddy Server has a vulnerability in its FastCGI path splitting logic. The challenge arises from the way it computes the split index on a lowercased version of the incoming request path, which may misinterpret UTF-8 byte lengths. This flaw can lead to erroneous derivatives of SCRIPT_NAME, SCRIPT_FILENAME, and PATH_INFO, particularly in scenarios where .php requests could inadvertently match non-.php files. In environments where an attacker controls file contents, such as those with upload capabilities, this can create a risk of executing unintended files, including potential remote code execution depending on the server's configuration.

Affected Version(s)

caddy < 2.11.1

References

https://github.com/caddyserver/caddy/security/advisories/...
x_refsource_CONFIRM
https://github.com/php/frankenphp/security/advisories/GHS...
x_refsource_MISC
https://github.com/caddyserver/caddy/releases/tag/v2.11.1
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.