CVE-2026-27588Improper Handling of Case Sensitivity in Caddy

CWE-178Improper Handling of Case Sensitivity8 documents6 sources
Severity
7.7HIGHNVD
EPSS
0.1%
top 81.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Caddyserver CaddyGithub.com Caddyserver Caddy V2
Timeline
PublishedFeb 24
Latest updateFeb 26

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5caddyserver/caddy< 2.11.1
NVDcaddyserver/caddy2.10.22.11.1

🔴Vulnerability Details

5
OSV
Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v22026-02-26
GHSA
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass2026-02-24
OSV
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass2026-02-24
CVEList
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass2026-02-24
OSV
CVE-2026-27588: Caddy is an extensible server platform that uses TLS by default2026-02-24

📋Vendor Advisories

1
Debian
CVE-2026-27588: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27588 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27588 — Improper Handling of Case Sensitivity | cvebase