CVE-2026-27590
published 2026-02-24CVE-2026-27590: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a…
PriorityP359critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.4th percentile
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | < 2.11.1 | 2.11.1 |
| debian | caddy | — | — |
| github.com | caddyserver_caddy_v2 | >= 0 < 2.11.1 | 2.11.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.9HIGH
vendor_debian8.9HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unicode case-folding causes incorrect split_path index in github.com/caddyserver/caddy/v2
osv·2026-02-26
CVE-2026-27590 Unicode case-folding causes incorrect split_path index in github.com/caddyserver/caddy/v2
Unicode case-folding causes incorrect split_path index in github.com/caddyserver/caddy/v2
Unicode case-folding causes incorrect split_path index in github.com/caddyserver/caddy/v2
OSV
CVE-2026-27590: Caddy is an extensible server platform that uses TLS by default
osv·2026-02-24·CVSS 8.9
CVE-2026-27590 [HIGH] CVE-2026-27590: Caddy is an extensible server platform that uses TLS by default
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
OSV
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport
osv·2026-02-24
CVE-2026-27590 [HIGH] Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport
### Summary
Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment).
### Details
The issue is in
GHSA
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport
ghsa·2026-02-24
CVE-2026-27590 [HIGH] CWE-20 Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport
### Summary
Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment).
### Details
The issue is in
Debian
CVE-2026-27590: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
vendor_debian·2026·CVSS 8.9
CVE-2026-27590 [HIGH] CVE-2026-27590: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP execution of non-.php files (potential RCE depending on deployment). Version 2.11.1 fixes the issue.
Scope: local
bookworm
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [fedora-all]
bugzilla·2026-06-12·CVSS 9.8
CVE-2026-27590 [CRITICAL] CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [fedora-all]
CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [fedora-all]
+++ This bug was initially created as a clone of Bug #2442424 +++
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [epel-all]
bugzilla·2026-02-24·CVSS 9.8
CVE-2026-27590 [CRITICAL] CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [epel-all]
CVE-2026-27590 caddy: Caddy: Remote Code Execution via FastCGI path confusion [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-27590 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Remote Code Execution via FastCGI path confusion
bugzilla·2026-02-24·CVSS 9.8
CVE-2026-27590 [CRITICAL] CVE-2026-27590 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Remote Code Execution via FastCGI path confusion
CVE-2026-27590 github.com/caddyserver/caddy/v2/modules/caddyhttp: Caddy: Remote Code Execution via FastCGI path confusion
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` to execute a different on-disk file than intended (path confusion). In setups where an attacker can control file contents (e.g., upload features), this can lead to unintended PHP
Wiz
CVE-2026-27590 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-27590 [HIGH] CVE-2026-27590 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27590 :
NixOS vulnerability analysis and mitigation
strings.ToLower()
SCRIPT_NAME
SCRIPT_FILENAME
PATH_INFO
.php
Source : NVD
## 8.9
Score
Published February 24, 2026
Severity HIGH
CNA Score 8.9
Affected Technologies
NixOS
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 52
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
caddy
github.com/caddyserver/caddy/v2
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity CRITICAL Has Fix Added at: Mar 02, 2026
Chainguard Has Fix Added at: Feb 24, 2026
Debian 12, 13 Severity CRITICAL No Fix Added at: Feb 24, 2026
Echo Severity CRITI
2026-02-24
Published