CVE-2026-27586Improper Handling of Exceptional Conditions in Caddy

CWE-755Improper Handling of Exceptional Conditions8 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.1%
top 69.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Caddyserver CaddyGithub.com Caddyserver Caddy V2
Timeline
PublishedFeb 24
Latest updateFeb 26

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate signed by any system-trusted CA, completely bypassing the intended private CA trust boundary. Any deployment using `trusted_ca_cert_file` or `trusted_ca

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5caddyserver/caddy< 2.11.1
NVDcaddyserver/caddy< 2.11.1

🔴Vulnerability Details

5
OSV
Caddy mTLS authentication fails open in github.com/caddyserver/caddy/v22026-02-26
CVEList
Caddy's mTLS client authentication silently fails open when CA certificate file is missing or malformed2026-02-24
GHSA
Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed2026-02-24
OSV
CVE-2026-27586: Caddy is an extensible server platform that uses TLS by default2026-02-24
OSV
Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed2026-02-24

📋Vendor Advisories

1
Debian
CVE-2026-27586: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27586 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27586 — Caddyserver Caddy vulnerability | cvebase