Github.Com Caddyserver Caddy V2 vulnerabilities

CVE-2026-30852 Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy Caddy's vars_regexp double-expands user input, leaking env vars and files in github.com/caddyserver/caddy

CVE-2026-30851 Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy Caddy forward_auth copy_headers allows Identity Injection and Privilege Escalation in github.com/caddyserver/caddy Caddy forward_auth copy_headers Does Not Strip Client-Supplied Headers, Allowing Identity Injection and Privilege Escalation in github.com/caddyserver/caddy

CVE-2026-27588 [HIGH] CWE-178 Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass ### Summary Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypass host-based routing and any acc

CVE-2026-27587 [HIGH] CWE-178 Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/auth bypass ### Summary Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. An attacker can bypass path-based

CVE-2026-27590 [HIGH] CWE-20 Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport Caddy: Unicode case-folding length expansion causes incorrect split_path index in FastCGI transport ### Summary Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLower()` can change UTF-8 byte length for some cha

CVE-2026-27586 [HIGH] CWE-755 Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed Caddy: mTLS client authentication silently fails open when CA certificate file is missing or malformed ### Summary Two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts without error but accepts any client cert

CVE-2026-27589 [MEDIUM] CWE-352 Caddy is vulnerable to cross-origin config application via local admin API /load Caddy is vulnerable to cross-origin config application via local admin API /load commit: e0f8d9b2047af417d8faf354b675941f3dac9891 (as-of 2026-02-04) channel: GitHub security advisory (per SECURITY.md) ## summary The local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enfo

CVE-2026-27585 [MEDIUM] CWE-20 Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections Caddy: Improper sanitization of glob characters in file matcher may lead to bypassing security protections ### Summary The path sanitization in [file matcher](https://github.com/caddyserver/caddy/blob/68d50020eef0d4c3398b878f17c8092ca5b58ca0/modules/caddyhttp/fileserver/matcher.go#L361) doesn't sanitize backslashes which can lead to bypassing path related se

CVE-2022-28923 [MEDIUM] CWE-601 Open Redirect in Caddy Open Redirect in Caddy Caddy v2.4.6 was discovered to contain an open redirection vulnerability which allows attackers to redirect users to phishing websites via crafted URLs

CVE-2022-29718 [MEDIUM] CWE-601 Open redirect in caddy Open redirect in caddy Caddy v2.4 was discovered to contain an open redirect vulnerability. A remote unauthenticated attacker may exploit this vulnerability to redirect users to arbitrary web URLs by tricking the victim users to click on crafted links.