CVE-2026-27590Improper Input Validation in Caddy

CWE-20Improper Input ValidationCWE-180Incorrect Behavior Order: Validate Before Canonicalize8 documents6 sources
Severity
8.9HIGHNVD
EPSS
0.3%
top 47.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Caddyserver CaddyGithub.com Caddyserver Caddy V2
Timeline
PublishedFeb 24
Latest updateFeb 26

Description

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some characters. As a result, Caddy can derive an incorrect `SCRIPT_NAME`/`SCRIPT_FILENAME` and `PATH_INFO`, potentially causing a request that contains `.php` t

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5caddyserver/caddy< 2.11.1
NVDcaddyserver/caddy< 2.11.1

🔴Vulnerability Details

5
OSV
Unicode case-folding causes incorrect split_path index in github.com/caddyserver/caddy/v22026-02-26
OSV
CVE-2026-27590: Caddy is an extensible server platform that uses TLS by default2026-02-24
CVEList
Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport2026-02-24
OSV
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport2026-02-24
GHSA
Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport2026-02-24

📋Vendor Advisories

1
Debian
CVE-2026-27590: caddy - Caddy is an extensible server platform that uses TLS by default. Prior to versio...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-27590 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-27590 — Improper Input Validation in Caddy | cvebase