cbcvebase.

Github.Com Caddyserver Caddy V2 vulnerabilities

15 known vulnerabilities affecting github.com/caddyserver_caddy_v2.

Total CVEs
15
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM8UNKNOWN1

Vulnerabilities

Page 1 of 1
CVE-2026-27587P2HIGH≥ 0, < 2.11.12026-02-24
CVE-2026-27587 [HIGH] CWE-178 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass ### Summary Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based
ghsaosv
CVE-2026-27590P3HIGH≥ 0, < 2.11.12026-02-24
CVE-2026-27590 [HIGH] CWE-20 Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport ### Summary Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some cha
ghsaosv
CVE-2026-27588P3HIGH≥ 0, < 2.11.12026-02-24
CVE-2026-27588 [HIGH] CWE-178 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass ### Summary Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any acc
ghsaosv
CVE-2026-27586P3HIGH≥ 0, < 2.11.12026-02-24
CVE-2026-27586 [HIGH] CWE-755 Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed ### Summary Two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client cert
ghsaosv
CVE-2026-30851P3UNKNOWN≥ 2.10.0, < 2.11.22026-03-10
CVE-2026-30851 Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation in github.com/caddyserver/caddy
osv
CVE-2022-28923P3MEDIUMPoC≥ 0, < 2.5.0-beta.12023-02-07
CVE-2022-28923 [MEDIUM] CWE-601 Open Redirect in Caddy Open Redirect in Caddy Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs
ghsaosv
CVE-2026-45135P3HIGH≥ 2.7.0, < 2.11.32026-05-18
CVE-2026-45135 [HIGH] CWE-176 Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files Caddy: Unsafe Unicode Handling in FastCGI splitPos Allows Execution of Non-PHP Files ### Summary The FastCGI transport's `splitPos()` in [`modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go`](https://github.com/caddyserver/caddy/blob/master/modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go) misuses `golang.org/x/text/search` with `search.IgnoreCase` when the request path contains a
ghsa
CVE-2026-52844P3MEDIUMCVSS 6.5≥ 0, < 2.11.42026-06-16
CVE-2026-52844 [MEDIUM] CWE-22 Caddy: Windows `file_server` path authorization bypass via encoded backslash Caddy: Windows `file_server` path authorization bypass via encoded backslash ### Summary On Windows, Caddy `path` matchers treat `/private\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\secret.txt` on disk. An unauthenticated remote client can request `/private%5csecret.txt` and bypass Caddy path-scoped auth/deny routes protecting
ghsa
CVE-2026-52845P3HIGH≥ 0, < 2.11.42026-06-16
CVE-2026-52845 [HIGH] CWE-287 Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` Caddy: FastCGI header normalization bypass in `forward_auth copy_headers` ### Summary `forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`. This lets a client send an underscore alia
ghsa
CVE-2026-30852P3MEDIUMCVSS 5.5≥ 2.11.0, ≤ 2.11.22026-05-19
CVE-2026-30852 [MEDIUM] CWE-917 Caddy CVE-2026-30852 Fix Bypass Caddy CVE-2026-30852 Fix Bypass # ## TL;DR CVE-2026-30852 fixed double expansion in `vars_regexp` when the variable key is a placeholder (e.g. `{http.vars.x}`). The fix does NOT protect literal key names (e.g. `tenant_id`). An attacker injects `{env.AWS_SECRET_ACCESS_KEY}` or `{file./etc/passwd}` via a request header → Caddy expands it on the second pass → secrets leaked in response headers. **Affected:** Caddy v2.11.0 through v
ghsaosv
CVE-2026-27585P3MEDIUM≥ 0, < 2.11.12026-02-24
CVE-2026-27585 [MEDIUM] CWE-20 Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections ### Summary The path sanitization in [file matcher](https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361) doesn't sanitize backslashes which can lead to bypassing path related se
ghsaosv
CVE-2026-27589P3MEDIUM≥ 0, < 2.11.12026-02-24
CVE-2026-27589 [MEDIUM] CWE-352 Caddy is vulnerable to cross-origin config application via local admin API /load Caddy is vulnerable to cross-origin config application via local admin API /load commit: e0f8d9b2047af417d8faf354b675941f3dac9891 (as-of 2026-02-04) channel: GitHub security advisory (per SECURITY.md) ## summary The local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enfo
ghsaosv
CVE-2022-29718P4MEDIUM≥ 0, < 2.5.02022-06-03
CVE-2022-29718 [MEDIUM] CWE-601 Open redirect in caddy Open redirect in caddy Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.
ghsaosv
CVE-2026-52846P4MEDIUM≥ 0, < 2.11.42026-06-16
CVE-2026-52846 [MEDIUM] CWE-116 Caddy: stripHTML template function bypass Caddy: stripHTML template function bypass ### Summary Caddy’s `stripHTML` template function cannot reliably remove all HTML tags from input strings. Certain malformed HTML, such as `img src=x onerror=alert()>`, can bypass the tag-stripping logic, potentially leaving dangerous content in the output if it is later rendered as HTML. This may allow client-side XSS in cases where untrusted strings are rendered unsafely. ---
ghsa
CVE-2026-45692P4MEDIUM≥ 2.4.0, < 2.11.32026-05-19
CVE-2026-45692 [MEDIUM] CWE-187 Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization Caddy: Remote Admin Authorization Bypass in `/config` API via Array Index Normalization This report is not about a normal textual prefix-expansion case. The issue here is that the authorization layer and the `/config` traversal layer do **not agree on what object the path refers to**. In this case, a path authorized for one config object is accepted, but then resolves to a *
ghsa
Github.Com Caddyserver Caddy V2 vulnerabilities | cvebase