CVE-2026-27585
published 2026-02-24CVE-2026-27585: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize…
PriorityP337medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
EPSS
0.32%
24.0th percentile
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | < 2.11.1 | 2.11.1 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy | 0 – 1.0.5 | — |
| github.com | caddyserver_caddy_v2 | >= 0 < 2.11.1 | 2.11.1 |
| github.com | caddyserver_caddy_v2 | >= 0 < 2.11.4 | 2.11.4 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa6.5MEDIUM
osv6.9MEDIUM
vendor_debian6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Caddy: Windows `file_server` path authorization bypass via encoded backslash
ghsa·2026-06-16·CVSS 6.5
CVE-2026-52844 [MEDIUM] CWE-22 Caddy: Windows `file_server` path authorization bypass via encoded backslash
Caddy: Windows `file_server` path authorization bypass via encoded backslash
### Summary
On Windows, Caddy `path` matchers treat `/private\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\secret.txt` on disk.
An unauthenticated remote client can request `/private%5csecret.txt` and bypass Caddy path-scoped auth/deny routes protecting `/private/*`.
### Details
The mismatch is between two Caddy code paths:
- `MatchPath.MatchWithError()` compares `r.URL.Path` using URL path semantics and does not normalize `\` to `/`: `modules/caddyhttp/matchers.go:429`, `:436`, `:490`, `:532`.
- If the route matcher misses, Caddy skips that route: `modules/caddyhttp/routes.go:271`.
- `file_server` then maps the same request path to a filesystem path
OSV
Improper sanitization of glob characters in github.com/caddyserver/caddy/v2
osv·2026-02-26
CVE-2026-27585 Improper sanitization of glob characters in github.com/caddyserver/caddy/v2
Improper sanitization of glob characters in github.com/caddyserver/caddy/v2
Improper sanitization of glob characters in github.com/caddyserver/caddy/v2
GHSA
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
ghsa·2026-02-24
CVE-2026-27585 [MEDIUM] CWE-20 Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
### Summary
The path sanitization in [file matcher](https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361) doesn't sanitize backslashes which can lead to bypassing path related security protections.
### Details
The [try_files](https://caddyserver.com/docs/caddyfile/directives/try_files) directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the provided patterns. It's commonly used in Caddy configs. For example, it's used in SPA applications to rewrite every route that doesn't exist as a file to `index.html`.
```caddy
example.com {
ro
OSV
CVE-2026-27585: Caddy is an extensible server platform that uses TLS by default
osv·2026-02-24·CVSS 6.9
CVE-2026-27585 [MEDIUM] CVE-2026-27585: Caddy is an extensible server platform that uses TLS by default
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
OSV
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
osv·2026-02-24
CVE-2026-27585 [MEDIUM] Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections
### Summary
The path sanitization in [file matcher](https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361) doesn't sanitize backslashes which can lead to bypassing path related security protections.
### Details
The [try_files](https://caddyserver.com/docs/caddyfile/directives/try_files) directive is used to rewrite the request uri. It accepts a list of patterns and checks if any files exist in the root that match the provided patterns. It's commonly used in Caddy configs. For example, it's used in SPA applications to rewrite every route that doesn't exist as a file to `index.html`.
```caddy
example.com {
ro
Debian
CVE-2026-27585: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
vendor_debian·2026·CVSS 6.9
CVE-2026-27585 [MEDIUM] CVE-2026-27585: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Scope: local
bookworm: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all]
bugzilla·2026-06-12·CVSS 6.5
CVE-2026-27585 [MEDIUM] CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all]
CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [fedora-all]
+++ This bug was initially created as a clone of Bug #2442472 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [epel-all]
bugzilla·2026-02-24·CVSS 6.5
CVE-2026-27585 [MEDIUM] CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [epel-all]
CVE-2026-27585 caddy: Caddy: Path security bypass due to unsanitized backslashes [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27585 github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver: Caddy: Path security bypass due to unsanitized backslashes
bugzilla·2026-02-24·CVSS 6.5
CVE-2026-27585 [MEDIUM] CVE-2026-27585 github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver: Caddy: Path security bypass due to unsanitized backslashes
CVE-2026-27585 github.com/caddyserver/caddy/v2/modules/caddyhttp/fileserver: Caddy: Path security bypass due to unsanitized backslashes
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Wiz
CVE-2026-27585 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27585 [MEDIUM] CVE-2026-27585 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27585 :
NixOS vulnerability analysis and mitigation
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
Source : NVD
## 6.9
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
NixOS
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/caddyserver/caddy
github.com/caddyserver/cadd
https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L398https://github.com/caddyserver/caddy/releases/tag/v2.11.1https://github.com/caddyserver/caddy/security/advisories/GHSA-4xrr-hq4w-6vf4
2026-02-24
Published