CVE-2026-27587
Case-Sensitive Path Bypass in Caddy HTTP Request Matcher
Publication date: 2026-02-24
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| caddyserver | caddy | From 2.10.2 (inc) to 2.11.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27587 is a vulnerability in Caddy server versions prior to 2.11.1 related to how HTTP request paths are matched. The server's path matcher is supposed to be case-insensitive, but when the match pattern contains percent-escape sequences (like %xx), it compares the request's escaped path without converting it to lowercase. This inconsistency allows an attacker to bypass path-based routing and any access controls tied to those routes by changing the casing of the request path's percent-encoded segments."}, {'type': 'paragraph', 'content': "For example, if a route is configured to block access to '/admin%2Fpanel', a request to '/admin%2Fpanel' will be blocked, but a request to '/ADMIN%2Fpanel' will bypass the block and be allowed. This happens because the matching logic treats the escaped path case-sensitively in this scenario, contrary to the intended case-insensitive behavior."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized access by allowing attackers to bypass path-based routing and access controls that rely on percent-encoded path patterns. If your deployment uses such patterns to protect sensitive endpoints, an attacker can manipulate the casing of the request path to circumvent these protections.'}, {'type': 'list_item', 'content': 'Bypass of route-based access controls.'}, {'type': 'list_item', 'content': 'Potential unauthorized access to sensitive endpoints.'}, {'type': 'list_item', 'content': "Compromise of security assumptions in applications relying on Caddy's path matching."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing if the Caddy server's path-based routing or access controls using percent-encoded path patterns are bypassable by changing the casing of the request path."}, {'type': 'paragraph', 'content': 'A practical detection method is to send HTTP requests to protected paths with percent-encoded segments in different casing variations and observe if access controls are bypassed.'}, {'type': 'paragraph', 'content': 'For example, if the server blocks access to `/admin%2Fpanel`, try sending requests to `/admin%2Fpanel` and `/ADMIN%2Fpanel` and compare the responses.'}, {'type': 'paragraph', 'content': 'Suggested commands using curl to test this behavior:'}, {'type': 'list_item', 'content': 'curl -i http://your-caddy-server/admin%2Fpanel # Expected to be blocked (e.g., HTTP 403)'}, {'type': 'list_item', 'content': 'curl -i http://your-caddy-server/ADMIN%2Fpanel # If allowed (e.g., HTTP 200), vulnerability exists'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Caddy to version 2.11.1 or later, where this vulnerability is fixed.
Until the upgrade can be performed, consider avoiding the use of percent-encoded path patterns for access control or implement additional access control mechanisms that do not rely solely on path matching.
Additionally, monitor and log requests with unusual casing in percent-encoded paths to detect potential exploitation attempts.