CVE-2026-27587
published 2026-02-24CVE-2026-27587: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be…
PriorityP260critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.37%
28.8th percentile
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | < 2.11.1 | 2.11.1 |
| caddyserver | caddy | >= 2.10.2 < 2.11.1 | 2.11.1 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy_v2 | >= 0 < 2.11.1 | 2.11.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path-based access control bypass attempts by monitoring HTTP requests where the path contains percent-escape sequences (`%xx`) with mixed or uppercase hex digits (e.g., `%2F` vs `%2f`), targeting routes that use Caddy's HTTP path matcher — the attacker changes casing of the escaped path to evade case-insensitive matching. ↗
- →Flag HTTP requests to Caddy servers (pre-2.11.1) where the URL path contains percent-encoded sequences with uppercase hex letters (A-F) that differ only in case from a known restricted path pattern, as this is the bypass vector. ↗
- →Scope detection to the vulnerable Go module `github.com/caddyserver/caddy/v2/modules/caddyhttp` in SAST/SCA pipelines for versions prior to 2.11.1. ↗
- ·The vulnerability only triggers when Caddy route match patterns themselves contain percent-escape sequences (`%xx`). Configurations using plain (non-percent-encoded) path patterns are not affected by this bypass. ↗
- ·Fix is available in Caddy version 2.11.1. Debian bookworm, sid, and trixie packages remain open/unpatched as of the tracker snapshot. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.7HIGH
vendor_debian7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2
osv·2026-02-26
CVE-2026-27587 Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2
Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2
Caddy MatchPath %xx branch skips case normalization in github.com/caddyserver/caddy/v2
OSV
CVE-2026-27587: Caddy is an extensible server platform that uses TLS by default
osv·2026-02-24·CVSS 7.7
CVE-2026-27587 [HIGH] CVE-2026-27587: Caddy is an extensible server platform that uses TLS by default
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
GHSA
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
ghsa·2026-02-24
CVE-2026-27587 [HIGH] CWE-178 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
### Summary
Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.
### Details
In Caddy `v2.10.2`, `MatchPath` is explicitly designed to be case-insensitive and lowercases match patterns during provisioning:
- `modules/caddyhttp/matchers.go`: rationale captured in the `MatchPath` comment.
- `MatchPath.Provision` lowercases configured patterns via `strings.ToLower`.
- `MatchPath.MatchWithError` lowerc
OSV
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
osv·2026-02-24
CVE-2026-27587 [HIGH] Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass
### Summary
Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path.
### Details
In Caddy `v2.10.2`, `MatchPath` is explicitly designed to be case-insensitive and lowercases match patterns during provisioning:
- `modules/caddyhttp/matchers.go`: rationale captured in the `MatchPath` comment.
- `MatchPath.Provision` lowercases configured patterns via `strings.ToLower`.
- `MatchPath.MatchWithError` lowerc
Debian
CVE-2026-27587: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
vendor_debian·2026·CVSS 7.7
CVE-2026-27587 [HIGH] CVE-2026-27587: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
Scope: local
bookworm: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [fedora-all]
bugzilla·2026-06-12·CVSS 9.1
CVE-2026-27587 [CRITICAL] CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [fedora-all]
CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [fedora-all]
+++ This bug was initially created as a clone of Bug #2442422 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27587 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher
bugzilla·2026-02-24·CVSS 9.1
CVE-2026-27587 [CRITICAL] CVE-2026-27587 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher
CVE-2026-27587 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any access controls attached to that route by changing the casing of the request path. Version 2.11.1 contains a fix for the issue.
Bugzilla
CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [epel-all]
bugzilla·2026-02-24·CVSS 9.1
CVE-2026-27587 [CRITICAL] CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [epel-all]
CVE-2026-27587 caddy: Caddy: Access control bypass due to improper handling of percent-escape sequences in HTTP path matcher [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Wiz
CVE-2026-27587 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-27587 [HIGH] CVE-2026-27587 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27587 :
NixOS vulnerability analysis and mitigation
path
%xx
Source : NVD
## 7.7
Score
Published February 24, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
NixOS
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
caddy
github.com/caddyserver/caddy
Sources
NVD
Alpine 3.23, edge Severity CRITICAL Has Fix Added at: Mar 02, 2026
Chainguard Has Fix Added at: Feb 24, 2026
Debian 12, 13 Severity CRITICAL No Fix Added at: Feb 24, 2026
Echo Severity CRITICAL No Fix Added at: Feb 24, 2026
GoLang Severity HIGH Has Fix Added at: Feb 25, 2026
Homebrew Severity CRITICAL Has Fix Added at: M
2026-02-24
Published