CVE-2026-27586
published 2026-02-24CVE-2026-27586: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS…
PriorityP358critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.27%
18.3th percentile
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11.1 fixes the vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | < 2.11.1 | 2.11.1 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy_v2 | >= 0 < 2.11.1 | 2.11.1 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Caddy mTLS authentication fails open in github.com/caddyserver/caddy/v2
osv·2026-02-26
CVE-2026-27586 Caddy mTLS authentication fails open in github.com/caddyserver/caddy/v2
Caddy mTLS authentication fails open in github.com/caddyserver/caddy/v2
Caddy mTLS authentication fails open in github.com/caddyserver/caddy/v2
GHSA
Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed
ghsa·2026-02-24
CVE-2026-27586 [HIGH] CWE-755 Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed
Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed
### Summary
Two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary.
### Details
In `modules/caddytls/connpolicy.go`, the `provision()` method has two `return nil` statements that should be `return err`:
**Bug #1 — line 787:**
```go
ders, err := convertPEMFilesToDER(fpath)
if err != nil {
return nil // BUG: should be "return err"
}
```
**Bug #2 — line 800:**
```go
err := caPool.Provision(ctx)
OSV
CVE-2026-27586: Caddy is an extensible server platform that uses TLS by default
osv·2026-02-24·CVSS 8.8
CVE-2026-27586 [HIGH] CVE-2026-27586: Caddy is an extensible server platform that uses TLS by default
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11
OSV
Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed
osv·2026-02-24
CVE-2026-27586 [HIGH] Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed
Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed
### Summary
Two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary.
### Details
In `modules/caddytls/connpolicy.go`, the `provision()` method has two `return nil` statements that should be `return err`:
**Bug #1 — line 787:**
```go
ders, err := convertPEMFilesToDER(fpath)
if err != nil {
return nil // BUG: should be "return err"
}
```
**Bug #2 — line 800:**
```go
err := caPool.Provision(ctx)
Debian
CVE-2026-27586: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
vendor_debian·2026·CVSS 8.8
CVE-2026-27586 [HIGH] CVE-2026-27586: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to a typo in the path, file rotation, corruption, or permission changes. The server gives no indication that mTLS is misconfigured. Version 2.11
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27586 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27586 [HIGH] CVE-2026-27586 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27586 :
NixOS vulnerability analysis and mitigation
ClientAuthentication.provision()
trusted_ca_cert_file
trusted_ca_certs_pem_files
Source : NVD
## 8.8
Score
Published February 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
NixOS
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/caddyserver/caddy
caddy
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity CRITICAL Has Fix Added at: Mar 02, 2026
Chainguard Has Fix Added at: Feb 24, 2026
Debian 12, 13 Severity CRITICAL No Fix Added at: Feb 24, 2026
Echo
Bugzilla
CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all]
bugzilla·2026-06-12·CVSS 9.1
CVE-2026-27586 [CRITICAL] CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all]
CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [fedora-all]
+++ This bug was initially created as a clone of Bug #2442430 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
--- Additional comment from Jon Moroney on 2026-02-24 13:28:14 CST ---
--- Additional comment from Jon Moroney on 2026-02-24 13:28:20 CST ---
--- Additional comment from Jon Moroney on 2026-02-24 13:28:26 CST ---
Bugzilla
CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [epel-all]
bugzilla·2026-02-24·CVSS 9.1
CVE-2026-27586 [CRITICAL] CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [epel-all]
CVE-2026-27586 caddy: Caddy: Authentication bypass via mTLS client certificate validation failure [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
*** Bug 2442433 has been marked as a duplicate of this bug. ***
---
*** Bug 2442432 has been marked as a duplicate of this bug. ***
---
*** Bug 2442431 has been marked as a duplicate of this bug. ***
Bugzilla
CVE-2026-27586 github.com/caddyserver/caddy/v2/modules/caddytls: Caddy: Authentication bypass via mTLS client certificate validation failure
bugzilla·2026-02-24·CVSS 9.1
CVE-2026-27586 [CRITICAL] CVE-2026-27586 github.com/caddyserver/caddy/v2/modules/caddytls: Caddy: Authentication bypass via mTLS client certificate validation failure
CVE-2026-27586 github.com/caddyserver/caddy/v2/modules/caddytls: Caddy: Authentication bypass via mTLS client certificate validation failure
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca_certs_pem_files` for mTLS will silently degrade to accepting any system-trusted client certificate if the CA file becomes unavailable. This can happen due to
2026-02-24
Published