Caddyserver Caddy vulnerabilities
20 known vulnerabilities affecting caddyserver/caddy.
Total CVEs
20
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL5HIGH7MEDIUM6LOW2
Vulnerabilities
Page 1 of 1
CVE-2023-44487P1HIGHCVSS 7.5KEVPoCfixed in 2.7.52023-10-10
CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
nvd
CVE-2026-27587P2CRITICALCVSS 9.1≥ 2.10.2, < 2.11.1fixed in 2.11.12026-02-24
CVE-2026-27587 [CRITICAL] CWE-178 CVE-2026-27587: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HT
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based routing and any
nvd
CVE-2026-27590P3CRITICALCVSS 9.8fixed in 2.11.12026-02-24
CVE-2026-27590 [CRITICAL] CWE-20 CVE-2026-27590: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's Fa
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some charac
nvd
CVE-2026-27588P3CRITICALCVSS 9.1≥ 2.10.2, < 2.11.1fixed in 2.11.12026-02-24
CVE-2026-27588 [CRITICAL] CWE-178 CVE-2026-27588: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HT
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any access controls att
nvd
CVE-2026-27586P3CRITICALCVSS 9.1fixed in 2.11.12026-02-24
CVE-2026-27586 [CRITICAL] CWE-755 CVE-2026-27586: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallo
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client certificate s
nvd
CVE-2018-21246P3CRITICALCVSS 9.8fixed in 0.10.32020-06-15
CVE-2018-21246 [CRITICAL] CWE-287 CVE-2018-21246: Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypa
Caddy before 0.10.13 mishandles TLS client authentication, as demonstrated by an authentication bypass caused by the lack of the StrictHostMatching mode.
nvd
CVE-2026-30851P3HIGHCVSS 8.8≥ 2.10.0, < 2.11.2v>= 2.10.0, < 2.11.22026-03-07
CVE-2026-30851 [HIGH] CWE-287 CVE-2026-30851: Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before versi
Caddy is an extensible server platform that uses TLS by default. From version 2.10.0 to before version 2.11.2, forward_auth copy_headers does not strip client-supplied headers, allowing identity injection and privilege escalation. This issue has been patched in version 2.11.2.
nvd
CVE-2022-28923P3MEDIUMCVSS 6.1PoCv2.4.62023-02-06
CVE-2022-28923 [MEDIUM] CWE-601 CVE-2022-28923: Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to r
Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs.
nvdosv
CVE-2026-45135P3HIGHCVSS 8.1≥ 2.7.0, < 2.11.3v>= 2.7.0, < 2.11.32026-06-23
CVE-2026-45135 [HIGH] CWE-20 CVE-2026-45135: Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCG
Caddy is an extensible server platform that uses TLS by default. From 2.7.0 until 2.11.3, the FastCGI transport's splitPos() in modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go misuses golang.org/x/text/search with search.IgnoreCase when the request path contains a non-ASCII byte. Two distinct flaws in that fallback let an attacker mislead Caddy's Fas
nvd
CVE-2026-52845P3HIGHCVSS 8.1fixed in 2.11.42026-06-23
CVE-2026-52845 [HIGH] CWE-287 CVE-2026-52845: Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, forward_auth copy_headers deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through php_fastcgi, Caddy normalizes HTTP headers into CGI variables by replacing - with _. This lets a cl
nvd
CVE-2026-52844P3HIGHCVSS 7.5fixed in 2.11.42026-06-23
CVE-2026-52844 [HIGH] CWE-22 CVE-2026-52844: Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, on Windows, Caddy path matchers treat /private\secret.txt as outside /private/*, but file_server later resolves the same request path as private\secret.txt on disk. An unauthenticated remote client can bypass Caddy path-scoped auth/deny routes protecting /private/*. This v
nvd
CVE-2026-30852P3HIGHCVSS 7.5≥ 2.7.5, < 2.11.2v>= 2.7.5, < 2.11.22026-03-07
CVE-2026-30852 [HIGH] CWE-74 CVE-2026-30852: Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before versio
Caddy is an extensible server platform that uses TLS by default. From version 2.7.5 to before version 2.11.2, the vars_regexp matcher in vars.go:337 double-expands user-controlled input through the Caddy replacer. When vars_regexp matches against a placeholder like {http.request.header.X-Input}, the header value gets resolved once (expected), then pass
nvd
CVE-2026-27585P3MEDIUMCVSS 6.5fixed in 2.11.12026-02-24
CVE-2026-27585 [MEDIUM] CWE-20 CVE-2026-27585: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path s
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Version 2.11.1 fixes the issue.
nvd
CVE-2022-34037P3HIGHCVSS 7.5v2.5.12022-07-22
CVE-2022-34037 [HIGH] CWE-125 CVE-2022-34037: An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5
An out-of-bounds read in the rewrite function at /modules/caddyhttp/rewrite/rewrite.go in Caddy v2.5.1 allows attackers to cause a Denial of Service (DoS) via a crafted URI. Note: This has been disputed as a bug, not a security vulnerability, in the Caddy web server that emerged when an administrator's bad configuration containing a malformed request
nvd
CVE-2026-27589P3MEDIUMCVSS 6.5fixed in 2.11.12026-02-24
CVE-2026-27589 [MEDIUM] CWE-352 CVE-2026-27589: Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origin` not configured), the admin endpoint accepts cross-
nvd
CVE-2023-50463P4MEDIUMCVSS 6.5≤ 0.6.02023-12-10
CVE-2023-50463 [MEDIUM] CWE-290 CVE-2023-50463: The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For
The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).
nvd
CVE-2022-29718P4MEDIUMCVSS 6.1≥ 2.4.0, < 2.5.02022-06-02
CVE-2022-29718 [MEDIUM] CWE-601 CVE-2022-29718: Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attack
Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
nvd
CVE-2026-52846P4MEDIUMCVSS 4.2fixed in 2.11.42026-06-23
CVE-2026-52846 [MEDIUM] CWE-116 CVE-2026-52846: Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML
Caddy is an extensible server platform that uses TLS by default. Prior to 2.11.4, Caddy’s stripHTML template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as img src=x onerror=alert()>, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HT
nvd
CVE-2026-45692P4LOWCVSS 3.8≥ 2.4.0, < 2.11.3v>= 2.4.0, < 2.11.32026-06-23
CVE-2026-45692 [LOW] CWE-187 CVE-2026-45692: Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the author
Caddy is an extensible server platform that uses TLS by default. From 2.4.0 until 2.11.3, the authorization layer and the /config traversal layer do not agree on what object the path refers to. In this case, a path authorized for one config object is accepted, but then resolves to a different config object during traversal. This happens because the aut
nvd
CVE-2018-19148P4LOWCVSS 3.7≤ 0.11.02018-11-10
CVE-2018-19148 [LOW] CWE-200 CVE-2018-19148: Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for
Caddy through 0.11.0 sends incorrect certificates for certain invalid requests, making it easier for attackers to enumerate hostnames. Specifically, when unable to match a Host header with a vhost in its configuration, it serves the X.509 certificate for a randomly selected vhost in its configuration. Repeated requests (with a nonexistent hostname in t
nvd