CVE-2026-27585 — Improper Input Validation in Caddy

CWE-20 — Improper Input Validation8 documents6 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 65.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Caddyserver Caddy Github.com Caddyserver Caddy V2

Timeline

PublishedFeb 24

Latest updateFeb 26

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5caddyserver/caddy< 2.11.1

▶NVDcaddyserver/caddy< 2.11.1

▶Gogithub.com/caddyserver_caddy_v2< 2.11.1

🔴Vulnerability Details

OSV

Improper sanitization of glob characters in github.com/caddyserver/caddy/v2↗2026-02-26

▶

GHSA

Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections↗2026-02-24

▶

OSV

CVE-2026-27585: Caddy is an extensible server platform that uses TLS by default↗2026-02-24

▶

OSV

Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections↗2026-02-24

▶

CVEList

Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security protections↗2026-02-24

▶

📋Vendor Advisories

Debian

CVE-2026-27585: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27585 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶