CVE-2026-45692
published 2026-06-23CVE-2026-45692: Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree…
PriorityP417low3.8CVSS 3.1
AVNACLPRHUINSUCLILAN
EPSS
0.14%
4.1th percentile
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the authorization layer uses string prefix matching and the /config traversal layer parses array indices numerically using strconv.Atoi(). This vulnerability is fixed in 2.11.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| caddyserver | caddy | — | — |
| caddyserver | caddy | >= 2.4.0 < 2.11.3 | 2.11.3 |
| github.com | caddyserver_caddy_v2 | >= 2.4.0 < 2.11.3 | 2.11.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
caddyserver caddy up to 2.11.2 strconv.Atoi partial string comparison (GHSA-x5w9-xh9r-mvfc)
vuldb·2026-06-23·CVSS 5.4
CVE-2026-45692 [MEDIUM] caddyserver caddy up to 2.11.2 strconv.Atoi partial string comparison (GHSA-x5w9-xh9r-mvfc)
A vulnerability classified as critical was found in caddyserver caddy up to 2.11.2. The affected element is the function strconv.Atoi. Such manipulation leads to partial string comparison.
This vulnerability is documented as CVE-2026-45692. The attack can be executed remotely. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
ghsa·2026-05-19
CVE-2026-45692 [MEDIUM] CWE-187 Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization
This report is not about a normal textual prefix-expansion case.
The issue here is that the authorization layer and the `/config` traversal layer do **not agree on what object the path refers to**.
In this case, a path authorized for one config object is accepted, but then resolves to a **different config object** during traversal.
## AI Disclosure
The reporter used an LLM to help review the code, reason about the behavior, and help draft this report.
The reporter manually reproduced and validated the issue locally, confirmed the relevant source paths, and captured the requests and responses below.
## Summary
A remote admin client certificate restricted to the following path:
```text
/config/app
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-23
Published