Vulnerability in Caddy's FastCGI Transport Can Lead to Remote Code Execution
CVE-2026-45135

8.1HIGH

Key Information:

Vendor: Caddyserver
Status: Caddy
Vendor: CVE Published:; 23 June 2026

🔔 Create Caddyserver Vulnerability Alert

What is CVE-2026-45135?

A vulnerability has been identified in Caddy Server's FastCGI transport functionality, specifically within the splitPos() method. The issue arises when the request path contains non-ASCII bytes, leading to improper handling by search.IgnoreCase. This flaw allows attackers to mislead the split parsing logic into treating non-.php files as executable scripts. If an attacker gains access to deploy content in files served through FastCGI (such as file uploads or storage), they may exploit this condition to achieve remote code execution by crafting a specially designed URL. The vulnerability has been addressed in version 2.11.3.

Affected Version(s)

caddy >= 2.7.0, < 2.11.3

References

https://github.com/caddyserver/caddy/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45135 Data

JSON