Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27585 is a security vulnerability in the Caddy web server's file matcher component, specifically related to improper sanitization of backslashes in glob patterns used by the try_files directive."}, {'type': 'paragraph', 'content': "The try_files directive rewrites request URIs by checking if files matching given glob patterns exist. While special glob characters like '*', '[', and '?' are properly escaped, backslashes ('\\') are not sanitized correctly."}, {'type': 'paragraph', 'content': "Because backslashes are not escaped, attackers can craft requests with encoded backslashes (e.g., '%5c') to bypass path-based security protections. For example, a reverse proxy restricting access to '/documents/*' can be bypassed by requesting '/do%5ccuments/', which the server treats as matching '/documents/'."}, {'type': 'paragraph', 'content': 'This flaw allows attackers to bypass security controls that rely on path matching, potentially leading to unauthorized access to protected files or resources.'}, {'type': 'paragraph', 'content': 'The issue affects Caddy versions prior to 2.11.0 and was fixed in version 2.11.0 and later.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to bypass path-based security protections configured in the Caddy server.

By exploiting the improper sanitization of backslashes in file matching patterns, attackers may gain unauthorized access to restricted files or directories that should otherwise be protected.

The impact depends on the specific Caddy configuration and environment, especially if security controls rely on path matching or blacklisting in separate route blocks.

Successful exploitation could lead to exposure of sensitive or confidential information stored on the server.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Caddy server version is prior to 2.11.0 or 2.11.1, as the issue was fixed starting from version 2.11.0 and 2.11.1. Additionally, you can test for the vulnerability by attempting to access protected paths using backslash-encoded characters (%5c) in URLs to see if path-based security protections are bypassed.

For example, you can try sending HTTP requests with backslash-encoded paths to your server and observe if restricted files or directories are accessible despite access controls.

Suggested commands to test this might include using curl to request a protected resource with a backslash encoded in the path, such as:

• curl -v http://your-caddy-server/do%5ccuments/secretfile
• curl -v http://your-caddy-server/secre%5ct/secret.txt

If these requests succeed in accessing files that should be restricted, it indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade your Caddy server to version 2.11.1 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, review your Caddy configuration to ensure that the try_files directive and any blocking or filtering routes are in the same configuration block to prevent bypass scenarios.'}, {'type': 'paragraph', 'content': 'Avoid configurations where try_files executes before route or handle directives that enforce access controls, as this can be exploited.'}, {'type': 'paragraph', 'content': "Additionally, consider implementing other access control mechanisms outside of Caddy's try_files directive to protect sensitive paths until the upgrade can be performed."}] [1, 2]

Useful 0 Not Useful 0