CVE-2026-27588
published 2026-02-24CVE-2026-27588: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as…
PriorityP359critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.37%
28.9th percentile
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | < 2.11.1 | 2.11.1 |
| caddyserver | caddy | >= 2.10.2 < 2.11.1 | 2.11.1 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy_v2 | >= 0 < 2.11.1 | 2.11.1 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv7.7HIGH
vendor_debian7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2
osv·2026-02-26
CVE-2026-27588 Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2
Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2
Caddy MatchHost becomes case-sensitive in github.com/caddyserver/caddy/v2
GHSA
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
ghsa·2026-02-24
CVE-2026-27588 [HIGH] CWE-178 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
### Summary
Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header.
### Details
In Caddy `v2.10.2`, the `MatchHost` matcher states it matches the Host value case-insensitively:
- `modules/caddyhttp/matchers.go`: `type MatchHost matches requests by the Host value (case-insensitive).`
However, in `MatchHost.MatchWithError`, when the host list is considered "large" (`len(m) > 100`):
- `MatchHost.large()` returns true fo
OSV
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
osv·2026-02-24
CVE-2026-27588 [HIGH] Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass
### Summary
Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header.
### Details
In Caddy `v2.10.2`, the `MatchHost` matcher states it matches the Host value case-insensitively:
- `modules/caddyhttp/matchers.go`: `type MatchHost matches requests by the Host value (case-insensitive).`
However, in `MatchHost.MatchWithError`, when the host list is considered "large" (`len(m) > 100`):
- `MatchHost.large()` returns true fo
OSV
CVE-2026-27588: Caddy is an extensible server platform that uses TLS by default
osv·2026-02-24·CVSS 7.7
CVE-2026-27588 [HIGH] CVE-2026-27588: Caddy is an extensible server platform that uses TLS by default
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Debian
CVE-2026-27588: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
vendor_debian·2026·CVSS 7.7
CVE-2026-27588 [HIGH] CVE-2026-27588: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Scope: local
bookworm: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-27588 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-27588 [HIGH] CVE-2026-27588 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27588 :
NixOS vulnerability analysis and mitigation
host
Host
Source : NVD
## 7.7
Score
Published February 24, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
NixOS
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
github.com/caddyserver/caddy/v2
github.com/caddyserver/caddy/v2/modules/caddyhttp
Sources
NVD
Alpine 3.23, edge Severity CRITICAL Has Fix Added at: Mar 02, 2026
Chainguard Has Fix Added at: Feb 24, 2026
Debian 12, 13 Severity CRITICAL No Fix Added at: Feb 24, 2026
Echo Severity CRITICAL No Fix Added at: Feb 24, 2026
GoLang Severity HIGH Has Fix Added at: Feb 25, 2026
Bugzilla
CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [fedora-all]
bugzilla·2026-06-12·CVSS 9.1
CVE-2026-27588 [CRITICAL] CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [fedora-all]
CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [fedora-all]
+++ This bug was initially created as a clone of Bug #2442435 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27588 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Access control bypass due to case-sensitive host matching
bugzilla·2026-02-24·CVSS 9.1
CVE-2026-27588 [CRITICAL] CVE-2026-27588 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Access control bypass due to case-sensitive host matching
CVE-2026-27588 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Access control bypass due to case-sensitive host matching
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls attached to that route by changing the casing of the `Host` header. Version 2.11.1 contains a fix for the issue.
Bugzilla
CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [epel-all]
bugzilla·2026-02-24·CVSS 9.1
CVE-2026-27588 [CRITICAL] CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [epel-all]
CVE-2026-27588 caddy: Caddy: Access control bypass due to case-sensitive host matching [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-02-24
Published